Transcript
Hi everyone, this is Patrick born principle consultant from Texas PGB and I’d like to welcome you to another session of life in remote work brought to you by Texas, PGB and greendata.IO. This will be recorded web and are available for you to review after the fact and we like to make you aware of that as we kick things off.
Alright, well today we’re going to talk about the inherently increased cyber security risk to the enterprise and its data in times like these were remote work and remote access has become the defacto standard. Many security controls which were normally enforced through internal networks now must be adapted to work via external unmanaged networks and end points. We’ve got to take into account that employees are now connecting over the public Internet, and in some less than ideal cases, even from their home computers or personal devices. The difference in the security controls that we’re accustomed to and those that were left to deal with today is quite fast. We look forward to and engage in dialogue with somewhat of a workshop mentality, so don’t be shy. We all have interesting experiences to share. We will, throughout the series talk about good practices. Useful technologies and our own experiences in this new world of 100% remote work. Within the life and remote work series, you might wonder why we prioritize cybersecurity as an early session, and that answer lies in the question.
Remote access is used now more than ever before, and that alone increases the attack surface of your business and your people. This situation presents a shift and how and where your security controls are deployed, how they’re implemented, and what you’re trying to protect. The concept of the internal corporate network is by and large gone, and you have to act now. Additionally, and the rush to adopt remote ways of working. We’ve observed many companies that have made rushed tactical decisions without an appreciation for their long-term strategic impact to your organizations technology landscape. To take us through the discussion on cyber security today, we’ve asked one of my colleagues, Adam Korab, to join us. Adam tell us a bit about yourself and what we can expect from today’s session.
OK, thanks Patrick. Hi everybody, thanks for taking time to attend with us today. My name is Adam Korab and I’m the director of infrastructure and cyber security here at Texas PGB. My background is 20 years in the industry with specialization in network engineering and operations. As far as firewalls network-based security. Application delivery insecurity. Identity and access management bring it all together into overall security, posture and planning. And taking into account the entire ecosystem of infrastructure that binds all of these things together, both in the traditional sense, an in the modern cloud, native or cloud agile approach today we’re going to talk about are a few things, like the key components of your cyber security plan, best practices for remote workers, and then at the bottom of the hour. We’ll talk about some tips and tricks that we have with a quick demo to ensure security within Office 365.
So, when we talk about a cyber security plan, what is it anyway? It’s a comprehensive set of plans, policies and procedures which address all domains of cyber security for the Business Today. And it’s a massive undertaking. And In addition to being massive, it’s also constantly evolving and shifting as a target, so we’re not going to attempt to cover every minute facet of a cyber security plan today, but I do want to explain some of the most important points at a very high level. The overall goal of your cyber security plan is to provide a uniform and secure work environment in this case for your remote team.
Now, this requires planning policy, and most of all a whole lot of good communication. That is probably the single most important thing here, and that’s because effective security depends on your people knowing what’s expected of them within the realm of security. So you plan to cover things like what you see on the screen here, technology based security controls. A few to get you thinking. Our data security policies. What is your sensitive data and where is it stored? For instance, our users are allowed to send it by email. You should have a policy on that. We want to consider things like endpoint management, security protection of the desktops and laptops. How do they get their updates and patches on? How do you make sure that you have affective backups as a line of defense against things like Ransomware and malware? Policy should cover and have technology controls around cloud data storage, specifically. Things like one drive or drop box, Google Docs, or many of these other cloud services that people can use an do use for free. You also want to address. Your policies and restrictions and controls around USB devices removable USB drives. A lot of people pick something up and like oh what’s this? No plug it in to find out that’s probably a bad idea. The last technology based is here to control would be password management. Use of a password manager or effective password policies dovetailing into multifactor authentication and single sign on.
Moving to the next part of your cyber security plan, business continuity procedures and what I mean by things like this are less technology focused and more like. What do you do when key personnel such as it is security or management? Get sick or their loved ones get sick and all of a sudden they are not available for work anymore? Do you have a plan for the business on that? You need to document and communicate protocol and training for end users and cyber security problems because it’s not a question of if they’ll have them. It’s a question of when what I mean is do your users know who to contact and how to reach them? Especially now if everyone’s at home, do they know how to reach out if they see something that just doesn’t look right, such as it suggests email or something like that. Do they know that they can contact security team members even if they think they might have inadvertently done something? Because they might have compromised or exfiltrated data. The reason this is really important, especially when people are operating outside of normal security zone. The threats may not be getting his closely monitors before. People need to absolutely know for a fact that merely speaking up about a possible security concern isn’t going to result in discipline. Because if they don’t know that for sure, they won’t speak up and you can’t defend against what you don’t know.
Next to your cyber security plan, you do need to cover incident response. This like the plan overall itself, is very comprehensive. Many companies include cyber security and incident response as an afterthought to an overall business continuity plan, but this is 2020 and timeline is strange and that is just not sufficient anymore. Your incident response plan needs to specifically enumerate the top 7, maybe 10 security risks that your organization faces and provide for specific responses and procedures. Addressing each of those events. You also want to determine and document what incidents trigger the incident response plan for security problem versus the business continuity plan, a disruption of business operations and email phishing campaign against your people isn’t going to shut down access to critical data or prevent customer service taking place in people doing their jobs. Instead, that might invoke pieces of the incident response plan to mitigate that strictly in the security realm. A successful ransomware infection, on the other hand, well, that’s going to lock up all your files, and certainly offers a much greater potential of impacting normal business operations instead of just being a cybersecurity annoyance. So that becomes a business continuity problem, a particular style selling point to today’s overall topic. How does your plan change and adapt? If the affected computer that’s paralyzing your company leaves at someone’s house? You can’t see it might take you longer to find it, and you can’t send the IP over to unplug it from the wall. So these are the new things that we all have to consider, plan and prepare for. And that’s what a cybersecurity plan will give you.
The final component of that is organizational maturity. And what I mean by that is, as you put together and construct this cyber security plan. It’s important to factor in. Your organizations maturity around technology. And the perception and or the participation of your executive leadership. A lot of times you’ll hear insecurity is that you have to have executive sponsorship. That’s true, it has to be from the top down. So culturally, are you typically reactive to it and security events? Or is your team move beyond that, we become more proactive so that you can anticipate or connect the dots before the entire picture comes into view. Back in 2017 there’s a British defense and security company hold BAE Systems or Bay. Who surveyed a globally diverse group of 1200 C-Suite executives and it decision makers and the survey focused on the key attitudes towards cyber security risk. The understanding of cybersecurity adversaries. And how that organizations resources affect their cyber security policies and defense? The opinions of the C-Suite management and the decision making people were pretty far apart on the three topics. There was only one thing that they could both agree on, and it was a real gem. Both groups believe the other group is responsible in the event of a breach. So you may have ambitions to increase your maturity level, but it’s very critical that your cyber security plan is built around where you are and not where you want to be.
So best practices for remote workers. This is stuff that everybody should know. We’ll start with number one. That is, people should absolutely not mix their work email and their personal email. You as a business an organization should have a very clear expectation. That people will not just email This Word document to myself. And if you think that so we don’t do that here. People email stuff to myself between work and home. A lot. Survey conducted in 2017 revealed that 46% of staff members admit to moving files between work and personal computers, either using email or USB drives while working from home. A further 13 percent admit to actually sending work related business emails from their personal addresses because they couldn’t connect to their office network or their work email. So people will always do what they have to do to get their job done, whether or not. It’s germane to an effective cyber security policy or a good practice. The problem with mixing work and personal emails is that as soon as that user sends out your companies information, that file that data, whatever it is through that personal email service, it’s just left your realm of control. So to go further, we know that some people don’t have a company laptop. And they’re working from home on their own computers. That’s a dangerous practice for a lot of reasons, but it’s difficult at best, an impossible at worst to exert company control and policy enforcement on a system that you don’t own. It becomes a lot safer when you avoid connecting all of these unknown devices directly to your Business Network, but instead you could offer enforce the use of virtual workstations like windows virtual desktops on Microsoft Azure, or many other solutions. WVD is very quick to deploy and the benefits are enormous, both from a security point of view and a productivity point of view. When you use these virtual desktops, users connect from whatever device they might have from whatever Internet access they might be using to the virtual desktop, which is under the care and control of your organizations it insecurity. And so it keeps their home devices and your business technology more isolated from each other. And that’s a really good practice.
Best practice number 2 for remote workers. Something that many people already do, but perhaps not in the context of working from home. And then if you want to be very mindful of sensitive documents and data. Classic example is your in the office and you’ve got hard copy of sensitive file. It’s printed out and at the end of the day what do you do? You put it in its folder, you put in your filing cabinet and you lock it up. At home, should really be no different. Find a way to lock it up. Don’t leave it on your kitchen counter. Shred things that you don’t need anymore. This is an information security hygiene best practice, and just because you’re at home doesn’t mean it’s time to relax that.
So the final best friend, best practice #3 is to be vigilant about fishing it scams. So unfortunately now more than ever before, the cybercriminals are exploiting. Things like the world wide pandemic to their own ends. There’s appointment recent example from March 17th or just about three weeks ago, it was a phishing campaign impersonating the World Health Organization, and it promises the latest on Corona virus that’s Corona dash virus as a quote. However, you know The Who is globally recognized Veneral Authority on these sorts of things, many people would be tempted to open the email. So we actually did get a copy of that because they sent it to us. So let’s take a look at that. So in this particular effort, threat actors, which is a fancy way of saying the bad guys use the lure of a fake E book called my health, and saying that it includes comprehensive research on the global pandemic and guidance on how to protect children in businesses. However, what it actually delivers to you is an information stealing Trojan malware called form book. Storden encoded format on Google drive. That’s a cloud service for which a lot of people haven’t legitimate use. We mentioned that users use cloud storage, so Google Drive might be freely accessible to users through. Typically, your typical security controls and filters. Especially now if they’re connecting from their house, going directly out to the Internet, there’s no restrictions on what they can get from the web. These threat actors aren’t dumb. They’re using the emotional appeal of protecting kids and it already charged in stressful situation. So on its face, here’s the email. We’re going to go ahead and look at some of the tip offs. This is a fishing threat. So for an email which is supposedly from the World Health Organization and NGO authority, the writing is awkward. It’s inconsistent and has noticeable errors and just overall doesn’t read with the fluidity it should have. You’ve got odd hyphenation like Corona Dash Virus an my dash health. You got awkward sentence structure, weird punctuation, an inconsistent capitalization patterns, sometimes coronaviruses capitalized, and sometimes it isn’t. If you look at guidance to children in business and critical preparedness, you see that the end of those lines is a semi colon, where it would be properly to use proper to use a colon. Awkward sentence is like practical checklists to keeps kids and business center with the British spelling of center safe. Or stay aware with the most contented information, we’re still trying to figure out what contented information is. And then capitalization things in the. For instance, the sentence avoid touching eyes, nose and mouth, eyes and nose, or capitalized. But mouth isn’t. And then we get to oddly specific instructions like at the bottom of the email that you can download and attach access the attached my health zip file from a Windows computer only. If I’m disseminating information from the WHO, don’t want to disseminate it only to Windows users, that’s a big tip off. The biggest clue, the single one. The biggest thing here? It’s an attached zip file. Normally we’d expect it for information distribution efficiency. A link to a website. Or Maybe it’s a PDF, but it’s out on the web. The point is that when you’re sending this to 10s of thousands, hundreds of thousands of people, you’re not going to send a 22 kilobyte attachment to every single one. That’s just the wrong way to do it, but if you’re delivering malware and you want people to run it, it’s the right way to do it. So that is the end of our section on remote worker best practices. Go ahead and turn over the presentation to Patrick now as he’s going to. Present some practical related tips and tricks for Office 365.
Absolutely well, thanks Adam and you know, I really think what we’ve covered so far has has been important, that the components of your cyber security plan. Well, while they may seem obvious, and as we highlight them, they may, they may be something that you recognize that you do or even something you can improve on. I think it’s important we take a few minutes in this hectic time and bring those up as well as our tips for remote workers. You know, some of those common sense things such as being vigilant for fishing during these times. I think it’s just very important we, uh, we keep that on the top of our mind and remind workers every day of that. Uhm, well. Now let’s talk about a few things. As an organization that you’re able to implement tips and tricks to keep your organization safe and secure. So the three things we’ll talk about are going to be enabling multi factor authentication for Office 365. Enabling self service password reset for Office 365 and adding a flag to all of our external emails. That gives our users just one more safety net to raise that flag that there might be an enhanced awareness for fishing in those emails that are coming from outside of our organization.
Now for this part of our presentation we will go ahead and actually be demonstrating the steps to do each of these. As I mentioned earlier, since this is recorded, you’re welcome to come back and follow along in your environment. Later. So to get started I’m going to go ahead and access the Office 365 administration center and will begin by working on the multi factor authentication peace. So here in the Office 365 portal, once we’ve logged in, We want to access the administration center by clicking on admin. And then we’ll move into user management user management, where we can go to add an remove users, assign licenses. So if you typically do administration for your Office 365 tenant, this is probably a page that you’ve seen before. If you’re not using multi factor though, you may have never noticed up on the toolbar. The multi factor authentication button when we click there that will take us to a new page were were able to enable an enforce multi factor authentication and will talk about what those two different terms mean. Um, for a moment, though, will talk about what is the idea of multi factor. So multi factor authentication combines the necessity for when you log into the system. So not only know your username and password, but you also have something else and so that can be a code that gets sent to you via SMS. It can be a code that’s delivered to you via an app on your phone. It can be a phone call. There are many different ways you can receive that information, but it’s a third piece of information other than your. Username and password that help authenticate in. Ensure that your you not so long ago people carry it around RSA keys on their key chain with rolling digits and that was the same type of idea for multi factor. So here we are on the multi factor authentication screen and you can see that we control this on a user by user basis. So in our test environment here we’ve got about a dozen users and you can see that Alice user has. Multi factor authentication turned on and it says that it’s enforced. You can see that the other ones here say disabled, so that’s not not turned on, not iaccessible for those users now. Today we’re going to actually work with our user Harriet, and for Harriet. I’ve selected the row with Harriet and you’ll see that on the right I have the option to enable multifactor authentication, and we talked about there are two things we can do. We can both enable and enforce multi factor authentication. Enabling multi factor. Gives the user the ability to use multifactor authentication if they choose. So that’s a a permissive option. It gives them the chance if they’d like. Now we know that if we’re really keeping an eye on our security posture, we might want to go ahead and take it a step further and say that they must use. They shall use multifactor, so we can go ahead and enforce that an enforcing it goes ahead and makes it so that they must enroll the next time they log in, and they must use multifactor authentication. So here we’ve enabled that for Harriet. Now I’m going to turn it back over to Adam for a moment. And Adam, Why don’t you take us through logging in? Is Harriet and what do you set up? Process for multi factor authentication looks like. Alright, sure thing Patrick, I’ll go ahead and do that. And I’ll go ahead and share my desktop here with. A browser and I’ve gone to outlook.office.com ’cause I want to log in and I want to read my email. So go ahead and do that and will type in our password like we do every day. Hey wait, what’s this? This is unusual. More information required, so let’s check this out. So we click next and we find out what’s going on and we see that we’re going to add additional security steps. For today’s demo I’m gonna use the mobile app method. This app this method is available for smartphones or it’s an app that’s available for smartphones. iPhone and Android makes it really easy for users. I’m going to go ahead and choose notifications because everybody knows how a phone notification works. And because then I don’t have to pick up my phone, unlock it, swipe through everything I’m doing, and find the authenticator app, and find a six digit code before it expires. It’s a pop up tab and then you get to choose, approve or deny. It’s pretty awesome and easy, so I’m going to send his mobile app and receive notifications and then I click set up and takes second mobile app. So then I opened the Microsoft authenticator app on my phone. And I choose that I’m using a work account that opens up the device camera and I just pointed at my screen. So then at the bottom it actually shows me that I have an account for Harriet with one time password code. Now I can see that it displays the six digit code, so I’m going to go ahead and hit next. So it’s activating. The setup of the mobile app. This takes just a few seconds. It’s not particularly interested to users. So it’s configured for notification verification codes and so then we click next. So now it doesn’t test thing and you can’t see my phone, but I’ve gotten approved sign in. Just got my company name and my username and a button for approve or deny. So I’m going to go ahead and press approve. And once I do that on my phone. There’s nothing I have to do on my browser. It all happens on the back end. So now the second part of enrollment is in case I lose access to the mobile app it wants to go ahead and set up phone verification for your password. So go ahead and type in. My back up phone here. Type in the code here. And we’ll click next. So now you can’t use phone secure app. Modern apps you can. This is giving the option to set up app passwords were not using those today, so we’re gonna go ahead and click done. So now we’re back to where we were trying to go in the 1st place where inherits email. So I’m gonna go ahead and sign out of this and see what happens when we’re not having to go through. That initial enrollment. What does it look like after you do that? And while at it does that.
I’ll interject here. You know, one thing that’s particularly important around this is communication, and I know earlier when we talked about your cyber security plan, we mentioned that communication was a key part of that, and the same is true here when we’re turning on new features in Office 365. We want to make sure that we’re notifying our users before we do it in the age of increased vigilance around fishing. If the first time they go or the next time they go to log in, they see a message that says they need more information and it’s asking for their phone number and it wants to install an app. If you’ve trained your users well, they may start to have a Spidey sense about that and say this is weird. I don’t know why this is happening and that should trigger them to speak up, but we want to be proactive and want to communicate with them before we make those changes so that when they do see that, as Adam mentioned, it’s a very unobtrusive process. They walk right through it and you’re more secure as a result. So go ahead Adam log back in as Harriet. Alright, so new browser, new day we’re gonna go ahead and send in my password because I wanna read my email. So now instead of doing the enrollment Prusiner, request an. It’s very same time. I’ve got to pop up on my phone. All I do is I tap the approve button. Wait a few seconds. And that’s it. We’ve turned on. We’ve enrolled in two factor authentication and we see what the process looks like when the user is enrolled and done. So this is what should we do day to day now in most times you would set it up and you do your two factor authentication. Once you could set it up so that you don’t get prompted if there at work. If they’re off site they get prompted things like that. All right, well, I think that wraps up our our peace on multi factor authentication so now will talk a little about self service. Password reset now self service password reset gives your user the ability to register things like security questions or other factors that will enable them to reset their password should they forget it and in the in today’s Day and age where we’ve got folks working from home we have people that. Help desks that may be understaffed, uh, people spread thin all around. It’s a great opportunity to enable self service password reset to reduce some of those calls, reduce the stress on your users and put a little more control in their hands. So as far as enabling self service password reset as we go ahead and look back here at the Admin Center will find that we need to enable self service password reset through the. Um, through the Azure Active Directory portion of the admin center. So if we head over again into the admin center. Will open Azure Active Directory from our left hand navigation. And that will take us into the Azure Active Directory panel.
If you’re not used, Azure Active Directory or configured any of the settings in here, you’ll see exactly what we look at today and now your organization may have started adding custom branding and other things, and so you may have a few settings that aren’t quite the default but will talk through the default options in the main things for password reset. So password reset from the navigation menu here brings us to a page and the first one we start on is is self service password reset enabled for the organization and we have two different ways we can roll out self service password reset the 1st and easiest is that we turned it on for everyone. We flip this over to the all box. We hit save and everyone can enroll in self service password reset and that might work depending on the size of your organization you might send out a communication. Say hey this is coming. You’re gonna get prompted for some questions, will see those in a couple of minutes and you could flip this on for everyone. But in a larger organization you might want to roll this out in waves. Maybe you start with the West region, then the central region than the East region. Something like that. So the middle option selected gives you the ability to select different groups. Different Office 365 groups or security groups within Office 365 to enable it for. Now, one thing that, uh, I wish were a little richer here is that I wish we could select more than one group. Unfortunately, you can only select one group at a time, so you’ll need to add individual users to that group when setting this up. So I’m going to go ahead and turn this on for all users, but just know that selected is an option. But again, remember it has a one group limit, so I’ve turned self service password reset on for my entire organization and I want to look at the authentication methods that can be used to reset a password. Now by default, here it says that there’s only one method required to reset your password. I’m personally more comfortable with two, just a little little more security, and we can select the methods available to our users. So security questions. We’ve all seen the Facebook, you know, put the month of your birth and your first car, and that’s your villain name. So security questions are certainly not the best way, but you could turn those on if you’d like, and you can even set how many they need to. Answer and which ones they can use in particular so will take a look at those. You can write your custom questions or you can use predefined. So I’m going to pick just a few. Here is an option. And we’ll add those in. I will go with their five required to register. They do have to answer 3 to reset an. Also turn on the other options here. Whether it’s mobile apps, mobile app codes, email This is an alternate email. Their non work email and say that then will save that.
As far as registrations concerned, I do want users to be forced to register when signing in, so the next time that they sign in, I want them to have to register. So I’m gonna leave this as yes if you set it to know they have the option to register, but they’re not forced. So again, I would leave this as yes. And finally we’ll talk a little about notifications. We have two options when it comes to notifications. The first is do we send an email to a user both their business and personal emails that they’ve registered anytime their password is reset. By default that’s turned on and we certainly recommend it that way if they get the email that says you just reset your password using the self service password reset tool and they didn’t expect that they know to pick up phone and make a call to someone and say Hey something is going on with my account, the second option turned off by default, is to notify all global administrators on your account when any single admin resets their password using the self service password reset tool. This is turned off by default. Like I said, We do recommend this be turned on.
Um, this would be a great way if someone were able to guess your questions to take over a global admin account and really wreak havoc on your enterprise. So we do think this is something that’s important. I’ll be it potentially a little embarrassing if you’re one of the global admins and you forgot your password and you reset it, everyone will know you forgot it. So, uh, that takes us through configuring self service password reset. Again, fairly straightforward. Just the four menu options here that we walked through and let’s take a look. Now Adam, do you want to show us what it looks like when you log in and set up self service password reset and then do a password reset for yourself?
Sure thing, this time I’m gonna show up and I’m going to be Baba colleague of Harriet’s so I type in my. Username here login because I wanna go read my email. My usual password, which I know. And just like when we’re rolling with multi factor authentication, we get a prompt saying more information is required, so we’ll click next and will go ahead and work through that process for Bob so don’t lose access to your account. So in this case you need to set up at least two of these options. So I’m going to go ahead and use my authentication phone. Again, I’m in the United States. And I’m going to enter my cell phone number. This text message with the code. There it is. So I verify that I received the code at the number I put in. That’s done, that’s easy. Authentication email is Patrick said this is where they could use an email sent to their non work personal email account. Now I will say that this does not run afoul of when I was talking about before with mixing work and personal email, because it’s not actually exchanging any sensitive company data. It’s just a conduit to contact the user at a predefined contact method so they could do a reset password. But I’m going to go ahead and choose security questions. So you have to set up five questions and the answers must be at least three characters long, so we’ll just go ahead and do the first couple of them. So we’ll go ahead and use made up answers here for security professional software in Houston, so we’ll go ahead and use that. And what city did your parents meet? My type same thing but let’s just say that they met in Austin. Or My nearest sibling. Maybe they live in Dallas. What’s the was your father born? Will go ahead and keep our theme here. And first job, let’s say that’s in elk. So we’ve got our five questions in our five answers. Bob will go ahead and save those. And will finish it. No, we’re not gonna say the password. So now Bob is enrolled. And it’s going to proceed to his email.
Now his user account was reset, so he’s getting the initial prompt here to set up his language and time zone. Most cases users won’t see that they’ll go directly to their inbox. Cool, that worked, so I’m gonna go ahead and sign Bob out. Restart the browser. I’m going to come back. And pretend like Bob forgot his password. So we have an Idol Orianna Fast forward it’s tomorrow. Bob wants to read his email, no better yet it’s next Monday and Bob said the entire weekend forget his password. Oh shoot, I don’t know what it is, so I click on I forgot my password will get back into account. The user ID is prepopulated. There is a capture to prevent robots from trying to impersonate users to reset their passwords, so will verify my human and click next and what are we going to? Here’s something really interesting. Notice how it doesn’t tell you the whole number to which is going to send the text message. That’s great because if I’ve got your email address and I go to forgot password and you had to set up, I could go and extract the personal cell phone numbers for lots of people who probably don’t want me to have their phone number. So we go ahead and verify. The phone number on the account. Type it in. Go ahead and text it. It’ll send me a verification code. 993558. So go ahead and I think that so in what city was your first job? And of course, in a perfect world I would have used the correct answers because now I’m trying to figure out in which order I put these in. The important thing here is that if I answer these questions correctly, it will promptly to get a new password. You know, and why you’re doing that.
That reminds me of a joke I saw the other day and it was, you know, as a cyber security professional, it really seemed to shake the person on the phone at Chase when they asked me for the name of my first dog and I told them it was capital. A dollar sign, 397 lower case L Capital M. Not everybody uses real answers.
Absolutely absolutely. I treated as an additional password field and I put them into a password manager such that the copies and paste it and I don’t have to remember these things. Here’s a case. Great example of why you should do that way. Unfortunately, can’t go retrieve the answers, but for the purposes of this demo, if I answered these questions correctly, I would then be prompted to set a new password for Bob. And then I would be taken to my email.
Wonderful, well, I think that brings us a practical example of how two step verification and if somebody else tries to reset your password. This is what happens if they don’t succeed. All right, well, I think that takes us to our our next piece, which is really around how we’d like to flag external emails to raise awareness when it comes to fishing. So I’ve gone ahead here and, uh, gone back into the Microsoft Portal and we’re going to access the Admin Center again now within the Admin Center. This time, because we’re looking at doing something with email, we need to access the exchange admin center. So again show all on the left side, Exchange Admin Center on the left while that’s loading. Let’s talk a little about this so we know that emails that come from outside of our organizations aren’t uncommon by any means. But we may want to flag those with additional text to ensure that our recipients understand the source and treat the message accordingly in one less than great example, we’ve heard of a company was impacted by an external email that was sent from someone using the same name. But of course the wrong email address as an executive within the company. They didn’t immediately catch that the email address wasn’t from their leadership, it was actually from outside, and data was ultimately compromised. So if they had turned on a simple rule around flagging external messages as they came in. They might have avoided this.
Let’s take a look at how we put that in place. Here in the exchange Admin Center in the Mail flow section we have rules. Rules are Fortunately able to be created, similar to a rule in exchange are in outlook rather where we create message rules. The rules here are very similar. It’s a wizard driven process, no code required, so we’ll go ahead and open up the new rule pain and walkthrough creating this rule. Course, like any good demo, it just wouldn’t be complete without something hanging up. Alright, so we’re gonna walk back into our Mail flow rules and add a new rule. And for that rule we’re going to set a name for it. So I’m going to say this is flag. External email Ann. I want to apply the rule anytime that the center is located outside of my organization. And when that happens, I want to do the following. Now looking at these choices, I don’t really see the one that I’d like a my see options here to forward or redirect the message to delete the message or BCC the message or even up into disclaimer. Anna pending a disclaimer starts to seem like what I want, except I really would rather not have my disclaimer or my notice that this is an external message at the bottom of the email. I don’t want to append it. I’d really rather pre pend it, put it at the top of the message where it catches everyone’s attention. So what we need to do is we need to actually click more options at the bottom of the page and that will add additional choices for what we can do. So now we can pre pend or put at the top a disclaimer we can put the text that we want. Now you could simply right in this box. This is an external email. Use caution and if you did that, it would work just fine. That would be added to the top, but it be in a all black text, nothing, nothing real special with a little bit of HTML you can create a really elegant looking banner at the top though, and I will share this as part of the recording afterwards. This HTML snippet and this simply puts in a line. It’s got a red background and it says this message was sent from outside the company. Please do not click links or open attachments unless you recognize the source of this email and know the content. Safe so were gonna go ahead and use that. We do have to select a fallback action for this, it’ll just be to rap it and all of the other default settings are fine when we save that will see the rule appear and it will be on by default. So I’m going to go ahead and send an email here from my personal account which is outside of our test environment over to Harriet. So Heriots. At Widget Bend dot on microsoft.com and very important message. Please send me all of the profit. And last statements for the year. I’m trying to get some information on this company. I’m hoping Harry it’s not paying much attention and thinks that I’m the other Patrick that works for the company. So Adam is Harriet. Why don’t you show us how that comes through and how we see this flag applied to the external email?
Sure thing, let me go ahead and. Share my screen again and once again this is Harriet’s email box. Go ahead and look at. I’ll go ahead and look at our inbox here. This shows up in focusing, so here’s the message from Patrick born very important message you can see in the preview pane that it was showing also. So here is from Patrick Moran Terry user. It doesn’t show the address by default. It shows the persons name. That’s why sometimes. It’s gonna happen if you hover over it. You can find the email address, but the read quickly they only see the name now you’ve got this pretty red banner sent from outside the company, and if you actually reduce the size of the window. You see that it automatically resize is an wraps nicely, so it looks good and people get the entire warning banner across any device that they happen to be reading. This on this will also show up in the message when it’s displayed on their mobile phone or tablet. Wonderful, well that takes us through the three tips and tricks today that we wanted to discuss enabling multi factor authentication, enabling self service, password reset and quickly and easily flagging external emails to raise people’s awareness for potential phishing attempts. Of course these are not exhaustive. There are many other things you can do, but these are just some of the items that we’d like to share and we’re glad that we got that opportunity.
At this point, I’d like to move us into more of the collaborative session. Do we have any questions from the audience? Anyone have any questions about what we’ve presented today, or anything that you’ve seen recently or maybe even a horror? Stories of what you’ve seen recently that you’d like to share with the group? To quiet group today, that’s alright. Well, I do want to thank everyone for their time as we move through the life and remote work a series will find that there are some of these that are more technical. Some of these that are more business related and we really hope that as we bring together a diverse audience, we can demonstrate and showed it to everyone. Some of those different possibilities and capabilities of the tools, technologies and also just business best practices. Again, thank you for. Everyone at Texas, P, GB, and green data dot IO our partner in putting this series together. We really appreciate your attendance today. This will be released for you. The recording will be released in the future for you to be able to re watch this and wish everyone a great day and we’ll all be in touch soon. Thank you, goodbye.
How do we manage cybersecurity threats to ensure successful business continuity in a 100% remote staffing situation?
The latest episode in our series tackles the inherently increased cybersecurity risk to the enterprise and its data in times like these where remote access has become the de facto standard. Many security controls which were normally enforced through internal networks now must shift to external and unmanaged networks and endpoints. We consider the effects of connecting over the public Internet and the state of local networks at someone’s home, and key differences between security controls in the enterprise compared to typical consumer-level security.
Agenda
- Why Cybersecurity Now?
- A Cybersecurity Plan: Key Components
- Best Practices for Secure Remote Workers
- Basic security advice every user needs to know.
- Tips and Tricks
- Multi-factor Authentication
- Self-Service Password Reset
- Flagging External Emails for Phishing Awareness
- Questions & Answers
The Series
During this event series you can participate in a variety of one-hour webcasts about multiple topics surrounding the world of Remote Work. Not only will these webcast provide knowledge and insights about how to accommodate remote work in atypical situations, but also they will cover how to enable organizations and individual contributors with all the required resources to thrive in a future of more flexible working styles.
In each episode you can expect to learn different techniques, best practices and ways to implement the right tools to ensure outstanding performance, without compromising productivity and the quality of your product or service.
The Sponsors
