Minimizing who can access your data and when is one of the cornerstones of cybersecurity as it helps to decrease the chance of sensitive information falling into the hands of a malicious actor. It also protects data against being accidentally viewed (or even inadvertently leaked!) by an authorized user.

Because privileged user accounts hold higher levels of access than other user accounts, they need to be monitored more closely. PIM is a service in Azure Active Directory that allows you to restrict access in a variety of cool ways, from making it time-bound to implementing just-in-time access.

In her exploration of Privileged Identity Management in Azure Active Directory, Paula covers:

•     Assigning roles
•     Adding assignments
•     Giving global administrative rights to a user
•     Configuring limited time access that expires after a specified time
•     How to activate a role and monitor it using Assigned Admins

You’ll find more beginner-level episodes of CQ Hacks devoted to Azure Active Directory Security on the CQURE Academy blog.

 

Holiday time is approaching and we know that everyone loves to receive gifts! Especially at CQURE, the idea of sharing is close to us and we would like to invite you to our Great Racoon Giveaway Contest, where you will get a chance to win $3920-worth voucher for any of CQURE Academy Live Courses! 

Please click on the below banner to find out more about the contest:

The post Back to Basics: Using PIM in Azure Active Directory Security appeared first on CQURE Academy.

Identity Protection is a security feature in Azure Active Directory that helps to prevent, detect, and remediate identity risk in an organization. Using multiple detections, it monitors every login for identity compromise, sorting sign-ins into three categories of risk: low, medium, and high.

These risk ratings can be used to create automated user risk policies that balance employee productivity with corporate security. For example, multi-factor authentication can be set as a requirement for a sign-in that is high-risk.

Join Paula as she reviews the different policies in Azure’s Identity Protection (User Risk, Sign-in Risk, and MFA Registration) and explains how to:

•       Select which users you want to include in the policy
•       Exclude specific users (such as your ‘break-glass’ account so that you cannot be accidentally logged out of Azure Active Directory)
•       Specify risk levels as high, medium, or low in the User Risk section
•       Block access or allow access but require a password change in the Access section
•       Activate and enforce a policy that you have set up and configured

Paula shows how to monitor your organization for risky users and risky sign-ins in the Report section of Azure’s Identity Protection dashboard and takes you through how to delete the conditional access policies you create.

Discover what happens when a log-in to an organization’s Microsoft Office portal from a Tor browser is flagged as “something strange” by Azure AD’s Identity Protection. You’ll also learn how to mark identity as compromised if, for example, sign-ins have been made in two completely different locations using that identity.

Paula covers identity security from the perspectives of both the administrator and the user, giving a clear view of the steps an employee must take when their account has been identified as risky.

With this identity security lesson under your belt, you’ll be able to intelligently react to potentially dangerous situations.  Take a stroll around the CQURE Academy blog now for more Azure Active Directory security tips including ‘8 things to avoid’ in Azure AD.

Holiday time is approaching and we know that everyone loves to receive gifts! Especially at CQURE, the idea of sharing is close to us and we would like to invite you to our Great Racoon Giveaway Contest, where you will get a chance to win $3920-worth voucher for any of CQURE Academy Live Courses! 

Please click on the below banner to find out more about the contest:

The post Back to Basics: Identity protection in Azure Active Directory appeared first on CQURE Academy.

Regulating access to your company’s files, systems, and applications cuts the risk of your data falling into the hands of hackers, threat actors and thieves.

While standard privilege management stops at ID-based authentication, conditional access in Azure Active Directory gives greater flexibility and control by allowing remote connections only when certain conditions are met.

Using conditional access, an administrator can regulate access by user location, device type, the kind of application or file being used and more. To achieve this, the administrator creates an Azure Active Directory security policy that specifies which condition(s) must be met for access to be allowed.

In this back-to-basics CQURE Hacks episode, Paula J demonstrates how to create secure conditional access policies and monitor access in the Azure Active Directory.

>>> Controlling access by a user’s IP address

o   Add the IP range’s location

o   Define the range to be assigned to the policy

o   Name the policy e.g., ‘Corporate IP range’

o   Specify the trusted IP addresses related to the location

>>> Controlling access by the kind of user or group, e.g., corporate only

o   Create a new policy

o   In conditions, specify login from corporate IP addresses

o   Exclude sign-ins from other users and groups

>>> Controlling access by location

o   A demonstration using the United States and Poland as examples

>>> Creating emergency access accounts known as “break glass accounts” to prevent yourself being accidentally locked out of your Azure Active Directory

>>>   More ways to regulate access

o   Blocking access

o   Enforcing multifactor authentication

o   Session controls

>>> Final steps

o   Turning on policies

o   Testing polices

o   Monitoring user access via the dashboard

After you’ve set up conditional access in Azure Directory, browse our blog to discover more clever ways to secure your data.

 

 

The post Back to Basics: Conditional Access in Azure Active Directory appeared first on CQURE Academy.

A problem-solver’s paradise

Before I get to the audiences’ questions, I’m going to start this knowledge drop by answering one of my own – what does it mean to me to work in cybersecurity?

I consider working in cybersecurity as exciting and challenging because there is a new obstacle to overcome every day. You must be prepared to face problems that you haven’t seen before as no two infrastructures are the same.

Not only do you have to use your skills and knowledge in new ways, but you must make sure that you keep up with the latest technological advances and threats.  While it may not be the easiest industry in the world to work in, it is incredibly gratifying. You can often quickly see that what you are doing is making a difference, like when you discover vulnerabilities during a penetration test. Or when you manage to stop a cyber-attack on a client’s site.

Besides being intellectually fulfilling, cybersecurity is about making the digital world safer. It also has a fun and creative side in which coming up with new scripts, codes, and solutions are encouraged. Current regulations consist mostly of guidelines and recommendations, so you have a lot of freedom to experiment and approach problems in whatever way you think is best.

This cutting-edge industry is hugely social. So not only do you have the chance to create something the world has never seen before, but doing so will bring you many new friends. And what’s great is that you are always working with smart and creative people so there’s no sitting through dull conversations.

Finally, it’s a highly profitable industry that shows no signs of slowing down. The increase in cyber-attacks over the last few years has made this business even more lucrative, so you don’t have to worry about your financial security. For these reasons, I log off my laptop every day feeling happy.

The satisfaction factor

Q1: How do I know if cybersecurity is the right career path for me?

Like working in medicine or law, a job in cybersecurity will be interesting, difficult, but ultimately satisfying. It is fast-paced and there will be a lot of challenges but also loads of opportunities for you to grow and earn good money.

Your skills will be tested every day and continuous education is a requirement. So, you will need to read the news and know what’s going on in the field. If you are not a hard worker with a drive to succeed and you don’t want to have to learn new things all the time, then maybe this isn’t the industry for you. However, if you want to work in cybersecurity at a slower pace, you could try the more static governance side of the industry.

It can be tough, as you only have a very limited time to do your research, learn what is happening in the world, and find and test new tools that could improve your efficiency. But those of you who want a high-energy job and who thrive under pressure will get a kick out of being in a blue team or red team. You may not get all the sleep you want all the time, but you will never be bored.

A diamond in the dust

Q2: How can I distinguish myself from others in cybersecurity and be recognized?

Standing out in the field of cybersecurity starts with doing your research. Whether you want to make a name for yourself by writing some new tools, or by becoming a sought-after speaker on a particular topic within the industry, you need to know what information is out there.

There are some news portals with fantastic articles and summaries that will help you. And in every country, there is an IT club where you can swap stories and share knowledge and experience with other people. Start a conversation and see where it takes you.

Once you have built up a rich stash of knowledge and skills, the next step is finding a way to share it. You could do this through writing a blog, sharing some tools you’ve made, or giving presentations at conferences.

You could also write a book, create a how-to video, write an article, or find a fun and different way to review new tools. Another way to gain notoriety could be through making a discovery. Perhaps you will find the next SolarWinds attack or earn the highest ever bug bounty by detecting vulnerabilities?

Whatever way you choose to stand out, what you offer must be unique and of excellent quality. It doesn’t have to be big, but it does have to be outstanding. My advice is to start small and build up from there. You could simply write a blog post, and since not many people are doing that, you would already start to stand out.

The great switcheroo

Q3: I’m currently changing careers. What advice do you have for someone starting in IT and in cybersecurity in particular?

It’s important to know the details of how solutions work. So, for example, you can’t just learn how Windows OS works. You also need to learn about its weak points, how to break them and so on, if you are going to give anybody good advice.

If you are entering the industry as a junior consultant who is going to be trained, then you may not have to know as much before you start. But you must invest time in studying the basics, in learning the principles of cybersecurity which are the internals of the operating systems and how things are technically executed.

If you want to focus on Windows, then you need to read a book called Windows Internals that explains how the operating system works. This is fantastic knowledge to have because whenever something happens in Windows, you will be able to understand why it’s happening.

I recommend finding out about the different roles that people can have in cybersecurity, so you can consider what you want to do. You could, for example, work in a Security Operation Center and respond to incidents and escalate problems.

We count threats, not sheep

Q5: How do you stay up to date with all the latest security threats and still have a private life? Do you only sleep four hours a night or something?

If you work in the incident response side of cybersecurity, it’s your job to jump in and help when you get that call or email, from, for example, a customer who has just been hacked.

These roles are fun and exciting, but they can make it challenging to maintain a work-life balance. So, if you like to go and disconnect, you should consider a different area of cybersecurity.

Personally, I don’t sleep a lot and that’s the way I like to operate. I only need four or five hours a night. To keep up with the news, I read Twitter and various news portals. I have the favorites that I browse pretty much every day to verify what’s out there and what’s up to date. I also sync up with the team. That’s my way of doing it.

Over the past year, we’ve been crazy busy, and we all have had to space out time with our families. But we shared the responsibility as a team and took steps to get a bigger team.

Getting your foot in the door

Q6: After completing a cybersecurity degree last year I’m finding it difficult to get entry level roles. I’m thinking of doing some certifications like CompTIA, CySA+, CISSP, but can’t help worrying about the job prospects given my age (47). I spend a lot of time on hands-on hacking platforms, but what can I do to gain some real cybersecurity work experience?

I wouldn’t say your age is any kind of an issue. My advice is to be careful which platforms you use. Some of them can be quite good – we use them in our team for our education and we test things using our competitors’ labs as they have good ones – but some have too much automation. You are often shown a quick way of handling an attack without any in-depth explanation of what’s going on.

In my opinion, it’s good to take a classic step-by-step approach where you technically try to understand what kind of attack is happening and how it works, and then you try to find the appropriate tools to use against it.

To get work experience, my advice is to become familiar with internals and apply for a job as a junior in a consulting company. This is one of the fastest ways to gain knowledge as you will be thrown into the deep end straight away (which depending on you, can be a really nice splash!).

Another option is finding a job in a SOC (Security Operation Center) where you could play a monitoring role or be responsible for identifying threats. Or you could try applying for a role at a customer site. Most companies used to outsource cybersecurity, but we have seen a trend where companies want to develop their own in-house skills. All this usually requires IT skills and you can learn the rest.

It takes all sorts

Q7: Do you need a tech background to work in cybersecurity?

There’s a relatively new role in cybersecurity called the TISO (Technical Information Security Officer). For this role, like in other C-Suite roles, the manager doesn’t have to know the technical part of what’s going on, they just need to manage it.

TISOs don’t need to know all the technical details, but they do need to know the risk to the organization. They must know, for example, the business impact of a data breach and how an attack could affect each part of the company or system. They must also be aware of things like what would happen if this system that banks rely on was down for two hours. How much would that cost in recovery time and fines etc.?

It is possible to switch to cybersecurity from other careers. I can think of one example – an independent cybersecurity consultant who works with our customers. He gained a psychology degree and started out with us in the sales team. He converted to being a techie and spent a year learning all about it.

How future stars are made

Q8: How can I help my daughter become the next Paula J?

What is most important in cyber is to work every day and to work hard. And when you keep working hard at something, whether you work fast or slowly, you always get a good result.

Cybersecurity is my passion, so I enjoy working hard at it. Anyone who is as hyperactive as me and who has the will to learn, could become the next Paula.

I’ve learned that it’s important to be willing to share knowledge with other people. Although I am more of an introvert, I’m curious to find out what other people in cybersecurity are doing. It’s always appreciated. We can learn a lot from one another as we are all spending our time on great things.

Sometimes you might get negative feedback, but you also receive interesting insights, especially when you take part in conversations. Generally, the more of yourself you are willing to invest in acquiring knowledge, the more likely you are to succeed. So, get stuck into reading articles and trying out tools.

It’s not all about the tech

Q9: What is the most useful cybersecurity skill you’ve learned that you still use today?

The most important skill I have learned is to share whatever is interesting. For example, we might create new tools for a project if none exist already and then share them.

And, although it’s not a cybersecurity skill, I also appreciate working with a team of great people who are happy and not afraid to share or to admit that they don’t know something.

Q10: Is CIS worth getting?

CIS is impossible to get at entry level since it requires five years of experience.

I think that although it takes some time and effort, it’s always worth getting additional certificates. They show potential employers what you know and that you are committed to professional development. However, it depends on the job and the situation.

If there isn’t a requirement for a certificate, you can still challenge yourself to learn something new. If you apply for a job in the future and come up against a similar candidate, those extra certificates could push the hiring decision in your favor.

We’re eternal students

Q11: What strategy do you use to learn things quickly?

The more we do something, the faster we get at it. Since I read a lot, I can now do it quickly, only taking a deep dive when I come across something interesting.

At CQURE, we make sure everybody has some peaceful time that they can use for learning since it’s not an easy process. Each team member has allocated learning days every month during which they go into a quiet zone, and no-one is allowed to book them or bug them.

Q12: What other industry requires this same level of technical expertise and constant learning?

I would say medicine is a good comparison as you need a lot of education and it’s constantly changing and growing. You need to know more to be better and to be more precise.

Ready for the challenge?

Answering your questions has been an absolute pleasure. If you’ve read this far, then I recommend that you take the next step – trying cybersecurity for yourself!

On August 31, CQURE Academy is running a live challenge designed to closely simulate what it’s like to work in a real cybersecurity role. Sign up and see how you get on with completing the challenge’s three tasks.

The post What is it Really Like to Work in Cybersecurity? appeared first on CQURE Academy.

Organizations that don’t put in the extra effort needed to secure their Azure Active Directory leave themselves vulnerable and open to data leaks, unauthorized data access, and cyberattacks targeting their infrastructure.

Cybercriminals can decrypt user passwords and compromise administrator accounts by hacking into Azure AD Connect, the service that synchronizes Azure AD with Windows AD servers. Once inside the system, the attackers can exfiltrate and encrypt an organization’s most sensitive data.

Azure AD users often overlook crucial steps, such as implementing multi-factor authentication for all users joining the Active Directory with a device. Failure to require MFA makes it easier for an attacker to join a malicious device to an organization using the credentials of a compromised account.

Increased security risk isn’t the only consequence of a poorly set up AD. Misconfigurations can cause process bottlenecks leading to poor performance. The following guide was created by CQURE’s cybersecurity expert – Michael Graffneter specialized in securing Azure Active Directory, to help you detect and remedy some of the most common Azure AD misconfiguration mistakes.

8 Things to Avoid In Azure Active Directory

 

1. Production Tenants Used for Tests

During security assessments, we often see production tenants being used by developers for testing their “Hello World” apps. We recommend that companies have standalone tenants for testing new apps and settings. Needless to say, the amount of PII accessible through such tenants should be minimized.

2. Overpopulated Global Admins

User accounts that are assigned the Global Admin’s role have unlimited control over your Azure AD tenant and in many cases also over your on-prem AD forest. Consider using less privileged roles to delegate permissions. As an example, security auditors should be fine with the Security Reader or Global Reader role.

3. Not Enforcing MFA

Company administrators tend to create “temporary” MFA exclusions for selected accounts and then forget about them, making them permanent. And due to misconfigurations, trusted IP address ranges sometimes include guest WiFi networks. Even with the free tier of Azure AD, one can use Security defaults to enable multi-factor authentication for all users. And users assigned the Global Administrator role can be configured to use multi-factor authentication at all times.

4. Overprivileged Applications

Many applications registered in Azure AD are assigned much stronger privileges than they actually require. It is also not obvious that app owners can impersonate their applications, which sometimes leads to privilege escalation. Registered applications and service principals should be regularly audited, as they can be used by malicious actors as persistent backdoors to the tenant.

5. Fire-and-Forget Approach to Configuration

Azure AD is constantly evolving and new security features are introduced regularly. But many of these newly added features need to be enabled and configured before they can be used, including the super-cool passwordless authentication methods. Azure AD deployment should therefore not be considered a one-time operation but rather a continuous process.

6. Insecure Azure AD Connect Servers

Azure AD Connect servers are used to synchronize Azure AD with on-premises AD, for which they need permissions to perform modifications in both environments. This fact is well-known to hackers, who might misuse AAD Connect to compromise the entire organization. These servers should therefore be considered Tier 0 resources and only Domain Admins should have administrative rights on them.

7. Lack of Monitoring

Even with an Azure AD Premium plan, user activity logs are only stored for 30 days. Is this default behavior really enough for your organization? Luckily, custom retention policies can be configured when Azure AD logs are forwarded to the Azure Log Analytics service, to the Unified Audit Log feature of Microsoft 365, or to 3rd-party SIEM solutions. And components like Azure AD Identity Protection or Azure Sentinel can automatically detect anomalies in user activity.

8. Default Settings

Not all default settings provide the highest security possible. Users can register 3rd party applications in Azure AD, passwordless authentication methods are disabled and ADFS endpoints with NTLM authentication that bypasses the Extranet Smart Lockout feature are published on proxies. These and other settings should be reviewed during Azure AD deployment and adjusted to fit organizational security policies.

Azure AD is a critical attack surface that needs continuous monitoring for misconfigurations. We hope this guide makes managing the security of your AD easier by helping you to detect and resolve vulnerabilities.

The post 8 Things to Avoid In Azure Active Directory appeared first on CQURE Academy.