2 Factor Authentication, Is It A Must For Office 365?

welcome back to another episode of cappuccino chat this time we're talking about two-factor authentication and is it a must for office 365 all right so two-factor authentication i've talked about this a number of times and the reason i'm bringing this back up and i'm going to read this a little bit just so i get it right when i'm giving you this information um is there was recently an attack that happened via email and it would have been 100 stopped if it wasn't for if it was for people putting two-factor authentication out but unfortunately a lot of users still will not use two-factor authentication either they don't know about it that it's easy enough to enable or they don't want to because they don't want to be constantly entering the pin code which there are ways around that a little bit depending upon your subscription level for office 365 and there's our ways to make it a little less annoying um so that you know you're not constantly putting that in right so we work with our clients to go through their needs and we make it so you do want to enable it it does need to be enabled and you don't want to throw your computer out the window and stuff every time you open up outlook it's not like it's going to prompt you every time you open up outlook but let's get into this let me let me read through this a little bit so the latest is a multi-phase attack using phishing attack to first get access to the user's office 365 accounts so they're trying to get in by sending um some type of email to get you to click on it and in this instance they started by stealing the user's credentials by convincing them to sign a docusigned email so if you've ever got one of those e-signed documents from docusign they send somebody an email looking like that they get you to give up their credentials once they give up their credentials they gotcha right so it was an attack on bleepingcomputer.com you could go there to see it uh if you're one of my newsletter providers um i have the link and i'll put the link below in the video as well if you're watching this on youtube um so it's first it steals the user's credentials on with the docusign email after that the article reports that the attack manifested only through accounts that were not two-factor enabled in other words they did not enable that two-factor authentication so this attack only worked and was successful on those not enabling two-factor authentication so the attacker also created rules that made it difficult to spot the account takeover thus eluding i.t departments all right so once that would happen they'd download and install outlook as the user and begin to send emails to other employees in the organization to external targets like contractors and suppliers so basically once they got control of your account they would just install outlook on their computer using your account and they would then start sending to all of your contacts that's the way that's why email is very popular right once they get you to do it they know that you know you know let's say 10 people and then those 10 people know at least 10 people so it just multiplies and goes on so taking the time to attack and go after one person is a multiplier type of attack that's why you continue to see it and we will always see attacks like this in the small business segment and i'm considering small medium business you know anything under 100 for sure email is probably 100 but it's it's at least 98 of the ways that attacks happen is a user gets an email clicks on something open something and then that's it but it's starting with the email so if we can stop the email attacks and stop the email before from being used against our vendors our clients our customers we're stopping this forward momentum that the attackers have on us right so we want to do that so um now is the time so how can you protect your company from these types of attacks a number one get with your i.t department or whoever's providing your i.t stuff and get two-factor authentication enabled immediately on your email it comes with every level of office 365 but your capabilities are different depending upon your subscription level so i don't want to get too technical and get too into it but if you have any questions of course you can always reach out to us but talk to your i.t people or whoever's taking care of it for you now if they're on on not capable of doing that or not able to do it please feel free to reach out to us and we'll walk you through it train your users i've spoken on this a number of times as well again users emails way to come in but if a user was trained to spot these fake emails they would never click on it and it would never get there we've also got a new product that we're releasing for an add-on to office 365 right now to help eliminate those fake login and phishing attacks that try to make it look like it's your office 365 looks like your bank looks like you know azure a.d that kind of stuff and stop it from ever getting to the inbox thus taking the need or the another layer out of that end user possibly killing something they should know better not to do you also want to monitor the dark web for any stolen password so again as these breaches happen and these breaches do not mean that your business was breached it could be again that somebody got one of your users to give up their password by a phishing attempt or somebody else that you do business with was breached a bigger company staples a home depot a linkedin a dropbox users being users we reuse passwords or a slight variation on a password doesn't take much for an attacker to guess the variations and guess your password they use those passwords then go back into stuff so if you're not going to enforce one password per application never reuse across the board you got to really start training your users and monitor the dark web for those stolen credentials being out there because if i told you i had your bank password after the panic stopped the first thing you would do would be to log in and change your password well if i had your bank password but i never told you i had your bank password you would never take any action so that dark web monitoring really allows you to take that action and know something that you didn't know previously and it is not expensive at all and you want to enforce that good password policy again like i said the best way of doing it is you know if one application equals one password you never reuse no variations no nothing you can use a password manager that will help create very unique um very weird passwords for you it's a good idea but be careful with that password manager um there was a breach not too long ago of one of those said password managers so you want to make sure again you're putting all your eggs in one basket now if they go offline again what do you do and be able to get to your password manager i've had that happen to me where their site was down for some reason so therefore with me not knowing what my passwords are because they're in the manager i couldn't get to them because it was a cloud-based only not a local application so again things to consider with the password manager but those are some stuff to do so again to recap enable 2fa and enforce it for all users train your users to spot the fake emails and stuff coming in and what to do and what not to do you want to monitor the dark web for any stolen passwords and then last you want to have that good password policy so that's how you can beat these types of attacks it doesn't cost a lot of money to do this a lot of its training and just time to get it done if you have any questions or concerns about implementing this please feel free to reach out to us 760-770-5200