Hello, and welcome to today's TEC talk called Office 365-- Guard the Galaxy of Your Email Users. My name is Jennifer Lupiba. I'm the host for our TEC Talks today. But you won't really be hearing from me. I'll be hearing mostly from our expert that we have here, Susan Bradley. So we're going to be talking about business email compromise. And Susan is going to walk us through how to spot and defend against BEC attacks. These attacks are still happening. BEC attacks are pretty old attacks, but they're still happening. They're still very lucrative for cyber criminals. And certainly, with Office 365, your email users are definitely at risk for falling prey to these types of attacks.
In fact, just the other day, I read about a UK Premier League club targeted in a BEC scam. And this the scam also targeted several others. And was by a Nigerian Instagram star. He was posting lots of pictures about his lavish lifestyle. This attack against the soccer club and those other folks was about porn and $35 million dollars.
Luckily, these were just schemes. The guy was living large. Like I said, he was documenting his luxury on Instagram. And when he was arrested in Dubai, he had $40.9 million in cash on him. So these are definitely still happening. And we're really lucky to have Susan Bradley here. She is a Microsoft MVP, and will walk us through that. I will give a little bit more detail about Susan here in the next couple of slides.
I do want to say that these TEC Talks are CPE eligible. So what I did in the past is I would ask people to send me an email. I'd send them an attendance receipt. Well, what I believe-- I did some more research. Using your registration email that you received, plus the slides that I'll send out afterwards, you can use both of those, just the registration email, and then the slides, as proof of your attendance. You submit that to whatever accreditation that you seek, or submit it for continuing education that you need to maintain for your place of employment.
These TEC Talks are hosted by Quest software. But by no means do we do any of our product pitches in these TEC Talks. They're pure training, in the spirit of the experts conference. And just to give a quick pitch here on the experts conference, so TEC, the experts conference, TEC talk, all the same thing.
The TEC talk today is similar to what you would see at the experts conference. We were so hopeful for November 17th and 18th in Atlanta. Things were going down. Obviously, things are not right now. So we have made the prudent decision to take TEC virtual. And since we're doing that, we also wanted to make it free for individuals. We usually charge for this conference. It is all training. It is CPE eligible. We bring in a lot of experts like Susan Bradley, David Kennedy from TrustedSec. WE Microsoft folks like Chris McNulty and Pamela Dingle, Sean Metcalf and Randy Franklin Smith on the AD side, and lots of other Office 365 experts.
And we decided to make it free. It's virtual. You can come and go as you please. You can jump between tracks, as much as you want. And you can come back and watch all the recordings if you've missed it. We've got three tracks-- hybrid Active Directory security, Office 365, and Migration and Modernization, which will also deal with a lot of mergers and acquisitions.
So you can start to register for the experts conference at theexpertsconference.com. Go ahead and register for that. We are transitioning the site to talk about virtual. I think right now, it might still say in person. You can just ignore that for the moment. Because we have made that decision here recently. We're in the process of getting those things changed over. But you can register. Your register for free. And then as we get closer, we'll be sending out all the links to where you need to go to be watching this.
We will be using Teams to convey that conference. And we're working through a couple different options to also have that face-to-face interaction with the speakers that pass attendees of the experts conference and loved so much, being able to talk one on one, or face-to-face, I should say, with these different experts. So go to theexpertsconference.com, feel free to register. It is free, and it is virtual.
Our next TEC talk, and actually the last one we'll have until we actually have the experts conference in November, will be in a month, August 12th. And this is led by Adam Leatherman. He's also a Microsoft MVP. He will be talking about how to migrate the rest of your files into Microsoft 365. So everybody rushed to enable 365. You probably ported over to some really important stuff. Now, what's that next wave of migration that you need to look at? So he will talk through the different options there, the different ways you might use the different content repositories that Office 365 offers.
So introducing our speakers, Susan Bradley, I'm really excited to have her here. She is a Microsoft Security MVP. She writes for AskWoody.com and CSO Online. She's also known as the Patch Lady, and as an advocate for patch management, as we know, is extremely important.
One of the things I love about Susan and working with her at last year's TEC and for this year's TEC is, Susan works for a financial services firm in California. And she manages a fleet of business systems, including Office 365 servers, all the devices that are connecting to it. So she's got that boots on the ground experience that I think is really valuable. She's in your shoes right now, and she's living this. So I'll turn it over to Susan and let you have it. Thank you, Susan, for being here.
Thank you. And I will take over. And if I've done it right-- hold on.e There you go. You should be seeing my screen now.
Yes, we do.
And as Jennifer said, yes, I do work for a financial services firm. We are on tax filing day. And when Jennifer reached out to me months ago and said, would you like to do a presentation on July 15, I said sure! Obviously, months went by. COVID hit. The tax season got moved. And guess what? If you have not filed your tax return today, please do so. Because when I get off of this presentation, I will be assisting in the e-filing of my office, too. Because everything electronic goes through me. So I'm the last person between you and the tax filing season.
So without further ado, as Jennifer said, my name is Susan Bradley. I write for CSO Online, as well as patches for AskWoody.com. But I'm also the administrator of the Microsoft 365 implementation here at my office. So I've experienced firsthand some of these phishing attacks, some of these ways that attackers want to come after us.
And attackers are out to get you. It's getting harder to attack the operating system. We tend to look at patch Tuesday and go, oh my gosh. You know, it was just yesterday. What bugs will occur? And there's usually a time. There is a point in time where you don't have to rush immediately DNS bug yesterday notwithstanding. And you can take some time to evaluate, to test the patches, and then deploy. The attackers can't come after you right immediately. It takes them time, as, well to learn what's in these vulnerabilities and come after us.
Humans, however, are harder to patch. We have an innate want to help somebody. We are trained from birth to be nice to people. Right now, we've shifted to where most of us are working from home. So no longer do we have the interaction at the office, where somebody says, hey, did you get that email? What's going on? We have a lot of communication, a lot of communication coming out regarding COVID-19. Attackers know all this. So Office 365 and Microsoft 365, which is the suite of products, has become a key target for business email compromise. So how can you better protect yourself and your business from this?
So as Jennifer said, is business email compromised a big Thing? Absolutely. During the first couple of months, from April to May of 2020, a 200% increase in business compromise. Think about that. 200%. They know that we have this squishy spot of humans, and that's where they're coming after us.
What is business email compromise? Basically, it's-- think of it as phishing, but with a very targeted idea. Especially when you're invoicing and paying, attackers know that they can interact with that process and pretend to be someone trusted. So usually, they want to steal money. They want to have you accidentally transfer money electronically to a different account than what you were intended. They want you to click on a link. There's all sorts of ways that they want you to take your money and give it to them. And you'll never see it again.
Who gets hit? Even smart people do. You've heard in the news, I'm sure, of the Barbara Corcoran of Shark Tank? She was scammed out of $400,000. Now I love how she said, I was upset at first, but remembered it was only money. $40,000, in my book, is a lot of money. And I would be really upset no matter what. And especially, I'd be upset that I didn't inform my end users. I didn't empower my people to say no, to stop and think, that somebody tricked my people.
And my people are good people. So it reflects badly. I think, on me, and it reflects badly on the firm if we get tricked, especially since, obviously, we're a financial consulting firm. In a recent FBI document, they talked about three different ACH spoofs, specifically targeting construction contractors.
In February 2020, a Virginia county government made it ACH transfer over two $250,000 after receiving a spoofed email. December 18, Virginia based university made $470,000, again, supposedly from a legitimate construction company. October of 2017, the health care provider made two transfers totaling over $900,000 in response just spoofed emails.
Again, this isn't new. But it's just shifted to be more targeted against the end user. And they know that we've got a little bit more squishy spots in Office 365, due to how we've moved to that platform and probably haven't taken the time to tighten it down as best as we can.
So first off, the ways they trick us is they purportedly come in from a legitimate contractor. And they say hey, you know, I'm Joe blow construction contractor. I need you to change the payment method or update that ACH information. It looks legit. The emails look OK. And of course, the person changes the transaction. Because again, we've been plugged in from birth to be nice to people, to help people, to say sure, no problem. I can do that. Especially in business, there's a business attitude that yes, sure. The customer is always right. I can help you do anything you want. How can I help you? So again, think in terms of turning that down a bit when talking to your users in your office.
You need to watch it make sure, and you educate your end users that emails often come with spelling and punctuation errors. They're getting better. Obviously, when they're doing these targets from overseas, they're starting to get more English dictionaries. But I still see so many times where it's so obvious that the email is wrong. Things are misspelled. The English is a little off. Again, educate your users to be aware of these things.
Just recently, in [AUDIO OUT] on Microsoft, 62 different countries around the world were targeted with business email compromised text. 62 countries. So this is a worldwide impact. They're using a lot of Excel files. They're using a lot of OneDrive attachments. They're using things that look normal. So again, empower people not to be so helpful.
So, specifically for Office 365, if you're like me, you've probably, within the last year to two years, moved to Office 365 slash Microsoft 365. And in the move to get off of on premise Exchange and moving on to online email, you may not have taken the time to tighten it, and to secure it. You can't just be-- it's not-- I'm going to say a radical statement. By default, Office 365 is not secure. You need to adjust it. You need to take additional steps.
Number one-- and you're going to hear me say this several times. So write this down, and then big fat [INAUDIBLE] in. Turn on multi-factor authentication for all users. You don't have to have a physical token. You don't have to have a cell phone. You can set it up to do a office call. If you are concerned about people in kiosks, if you have a certain Azure license, I'll go into the details in a bit.
You can set it up so that inside your static IP of your office, you're not prompted by two factor. But outside, you are. And I'll explain what I mean by that and just a bit.
So here's those multi-factor best practices that I want to talk about in particular. Most of you probably got in Office 365 license, and that's it. And I'm here to say, you need to mix and match your licenses. So in addition to whatever you bought on the base, there's a couple of additional licensing I want you to get. If you do not already have Azure P1, or if you don't have a Microsoft 365 Business Pro Plan, which now includes that, you can have the ability to whitelist the static IP of the office. This is really, really helpful if you have people that never go outside of the office.
Now granted, COVID-19 all of that is thrown out the window. But when we're back to a little bit more normal, and if there are certain people that only log into the office, or these days, only remote into the office, never are on their own laptops, never are outside of the static IP of the office, you can set up what's called Azure P1 license. You can whitelist the static IP of the office, so that those people aren't bothered by a two factor. This gives you the ability to say hey, these people, I know they're going to kill me if they're hit with two factor all the time. But I'm going to protect them a little bit more by still having two factor, just outside of the office. In particular for phones, you'll see this on the phones. Your phones will get hit with the two factor. Your desktops won't.
So what about remote users? If they have a laptop and they're VPNing in, yes, you're going to have two factor. But if you set up with what's RDserver or RDgateway, so they use their home personal machine to log into a desktop at the office, or RD server at the office, you can set it up so that whitelisting works.
Again, this is an education process. I highly recommend screenshots, documentation, PDFs that you send them, step by step instructions. Grab other people's phones, like an iPhone and an Android phone. Show the exact step by step instructions. It's a little bit tricky, but it's doable. The key is to education, to say here's the windows that you should expect. Here's the applications to expect. You can use the Microsoft Authenticator App. You can use the Google Authenticator App. You can use a phone call callback. You can use it text message call back.
And I'm sure you've heard in the news, oh, text messaging using phone isn't secure. It's secure enough. It raises you up from no longer being that low level attacker, attackee, I should say. You're getting out of the low hanging fruit. The attackers will go after somebody else, because you are harder to get to. So any kind of two factor at all, any kind of two factor is better than no two factor. So get yourselves out of that low level.
There's a brand new thing called Security Defaults. You go into Azure, AD, Properties, Manage, Security Defaults. And what these do, in particular, are doing two major things that will help immensely on getting you more secure. Number one is blocking legacy authentication. Attackers know that the older protocols, such as SMTP, POP, IMAP, are easy to just nail and guess passwords. Or these days, they go to a password download site. Some of the dump, what's called the dump places, grab a whole bunch of old passwords, throw a password attack at a site. And 99% the time, there'll be some user name and some password that gets you in the door.
So anytime you can block those legacy authentication protocols that will allow the attacker to not go after you in those low level stuff, the better off you are. So that's number one. It may, you may have to do a little bit of research as to-- if everybody has phones that will work-- my philosophy is, if you have a phone that can't handle modern authentication, you need to tell that CEO, CIO, it's time to upgrade it. Make money in the budget. Phones these days, to me, are part of our society. I wouldn't be without one. So it's an investment that the firm needs to make. Absolutely, get rid of those protocols.
Require MFA multi-factor for all admins, especially global administrators. All administered accounts must use multiple factor, no exceptions. You can set up what's called a break glass account. A break class account means that this is an emergency only. It doesn't have MFA. But nobody ever logs in. For the day-to-day global administrator of Office 365, they absolutely should have multi-factor, no exceptions whatsoever.
You can set it up also so that multi-factor for standard users, for normal users, all accounts must register within 14 days, and/or will only be prompted a challenge for MFA if it's a risky login attempt. It's how you want to set it up.
And here, again, here's the dashboard. You go into Properties. And this is-- I also recommend-- I actually have an Microsoft 365 license with a single user, one user. That's me, as you can see up there. And I use it for testing and seeing what the E5 license has. E5 is the most expensive, bells and whistles, and all the security features. And by having a single one that I use for demo purposes and for testing, it lets me see what I'm missing out. Because then I go back to my normal one and go, where is that? I don't have that option in my subscription. Why don't I have that? And I realize, hey do I need that? Do I want that subscription? And it allows me to say, hey, I really want that better feature. And I'll buy it for that risky person.
And again, here's the Enable Security Defaults. It's coming out brand new. That's the new-- if you've had Office 365 for a while, this is the brand new thing from new tenants. But you can go back and enable this for anybody already on the existing platform.
Security defaults also, accounts with credentials found on the dark web will be required to change passwords. They actually use a pwned password site, and compare the passwords on your site to that site and say, hey, if something's been lost in a breach, somebody's reused the credentials, we're going to check it. And we're going to tell these people you've got to change your password.
Required multiple factor for service management-- this may impact some of our third party tools. You'll have to do some research on that. Again, these are the new defaults. You can adjust them accordingly.
Again, I'm going to reenforce this. The legacy authentication is a key, key piece. Because attackers can use credential attacks and come after you, and especially if you have POP and IMAP still on mailboxes. You want to make sure that you change that authentication to only do modern authentication. Again, you can go-- if you wonder if somebody is going to be impacted, like your boss, which would be a career limiting move, there is a report that you can set, Report Usage. Click on the Email App Usage Report, and it will let you know what devices you're still using those legacy apps.
You want to block sign in for all shared meal mailboxes. In particular in small business, we tend to do what's called shared mailboxes. And if you have sign in ability on the sheer amount mailboxes it will allow the attackers to come after those as well. So watch that. You can use power cell to block it as well.
You want to enable auditing. It kills me that Office 365-- it's now starting to be more default. But for the longest time, when you turned on Office 365, auditing was not enabled by default. And it was like, why not? So double check. Go into your Protection Office.com. Search audit log. Make sure that's turned on. If it's not already, do so now.
You want to make sure you turn auditing policy. Again, keep in mind that if you have an ATP Plan to your Office 365 E5, there's different policies. And remember, you can mix and match. If you've got a risky person in your office that always clicks on something, or the CEO that's targeted, or his assistant, his administrative assistant-- everything goes through her or him to go before the CEO-- remember you can mix and match licenses. So you can have an E5, which has all the security goodness stuff for those risky people. Again, here's the audit log search. If you do not have this, if you don't see this screen, you want to turn that on. So review that that's there.
You want to configure email authentication. You want to set sender policy framework. If you're hosted in Office 365, it's a really easy thing to do on your DNS. If you haven't done that, check and make sure that you've done that. You want to configure exchange online protection. If you don't have exchange online protection, have something between you and the attackers, some sort of filtering thing that scans the links, that scans the sites, that pre-scans the email. You want to make sure you have something. I am a fan of advanced threat protection. But bottom line, get something between you and the bad guys. It's not foolproof. Something always wiggles in. But it helps a lot to cut down those things that do come in.
In the Security Compliance Center, you want to navigate to Threat Management Policy to check to see if it's on. And again, different licenses have different options. So again, I recommend getting an E5, just to see what you're missing out on. And you can mix and match. So different people can have different policies.
Secure Score-- inside the Office 365 slash Microsoft 365 is something called Secure Score. And when you first set up a subscription, you have a pretty low score. And then you can go through, one by one. And says what needs to be done. Do you have MFA on, yes or no? Do you have a policy to block legacy? Do you have a user sign in policy? Do you have a sign in risk policy? Go down one by one. It may take you some time. If you have a spare moment, when you're not doing other things in your environment, take the time to go through this Secure Score. Because you'd be surprised how many things that you can easily turn on, not impact your users, and get yourself a lot more secure.
You want to configure anti-spam and outbound spam, anti-malware, anti-phishing, and install the report message added for end users. That allows them to see the spoofs and things that come in. I also turn on, because I like to see this thing, as administrator, I turn on redirected malware reports. So I like to know my Office 365 is doing what it's supposed to. So I actually get, when there's malware, and it's grabbing it, and it's blocking it, I get those reports. Because I like to see it in action. I like to know where my money's going. So I turn those things on in my environment.
You want to disable mailbox auto forwarding. This is so key for business email compromise, because why? Because the attackers come in. They will, if they don't do it directly from a user, they don't trick that user into changing things on their own, they can take over a workstation through any number means, phishing email. And they can build rules, automatic email rules. When an email comes in from JoeAttacker.com, forward it to JoeAttacker.com so they don't know it that I've taken over their system.
And so what you want to do is, you want to block auto forwarding, so that there's much more approval process. There's a overt process that you have to go to if you ever set up a forwarding rule. I even set up alerts on systems, so that if there is a forwarding rule in place, for whatever reason, that when it's triggered, I get notified of it.
So with auto forwarding turned on, attackers can come in, compromise a system, because they need to have the email in place to either reset passwords, get into a banking account, you name it. With these auto forwarding rules turned on, they can hide underneath the radar, and do things through your email box, without you knowing about it. So you want to make sure that you check to see that there's no rules already set, and you want to lock that proactively.
You want to enable Admin consent requests for apps. I consider this kind of like the new local admin-ish of cloud security. So what is this? OK, so when you're in Office 365, there's a lot of places where you can enable apps, enable third party cloud apps that will plug into a Microsoft 365 or Office 365 item. And an add on for Teams, an add on for Outlook, an add on for this and that. And you, as the administrator, may not want people to add it.
So I set up in my office that if somebody wants to go add something, and I set up a list of trusted apps that's OK. And then anything else, I say, they're going to have to check with me first. So there's an approval admin process, where when they go and they try to click on something and add it to their system, an email comes to me as the admin and says, hey, is it OK this person tries to install this, yes or no? And I can approve it, or I can disapprove it.
So make sure that you understand that people can add things to your infrastructure and you not realize it if you don't have this in place. And you go into User Consent to Apps, and you uncheck that box where it says Let User Provide Consent When Apps Request Access to your Organization's Data. Again, think in terms of, do you really want somebody third party coming into your data without you knowing about it? And so I uncheck that box.
Azure sign in logs-- so again, this is one of those, when I first got in to Microsoft 365, and this was not default, I was like, oh my gosh. Really? Now it is, with a Microsoft 365 Business Plus account. This is built into that subscription. But if you don't have that in your subscription, I highly recommend that you add an Azure P1 license to it.
What is this? It allows you to review who's signing into your account. This is a very, very important. Early on, when I first set up Office 365, I didn't, I had not, I did not have multiple after initially. I was just setting it up. And literally, within 30 minutes of me turning on Office 365, I already had people trying to log in to various different user accounts on my network. And it was like, whoa! Wait a sec, guys. Why are you from Mexico, trying to log into my system? Why are you from Turkey, trying to log into my system? I have nobody in those countries. What's going on? So you want to turn on this P1. And then you can see actually who's logging into your system. You can see what application is logging in, and it's so important to have this information.
So if you don't have an Azure Active Directory user log in, by all means, add a P1. It is so key to knowing who is coming into your network, who is trying to attack you.
Message trace-- message trace can allow you to trace incoming and outgoing emails can be done through the Exchange Admin Center, or through the Security and Compliance Center. And they're in the process of moving the message trace to a new place.
Usually, what I do-- I'm terrible. Because I go in to Microsoft 365 some, but 100% all the time, I'm not 100% all the time there, so many times, I go, where is that? And then I have to Google up. So I'm literally-- the, my old brain, I've literally built shortcuts on the desktop for the URLs for certain locations that I go to on a regular basis. So message trace is one of those places where I go. The P1 licenses, or P1 user log ins, I have a shortcut on my desktop. Whatever it takes for you.
If you're a Powershell person, have a folder full of Powershell scripts that give you the same information. If you're a GUI person, have shortcuts to those places inside Microsoft 365 that give you the key information you need to track this. So have shortcuts, have Powershell. But basically, have locations that you can go to and get this key information. The new link for message trace is protection.office#messagetrace. Gives you default queries and custom queries that you can start on that.
You want to review user permissions. You want to look under Mail Settings, Mailbox Permissions. Attackers can add rights to another mailbox to add persistence rules. Persistence is so key these days. When attacker comes into an organization, they want to slither in. They want to come in through an email compromise, and they want to wait and sit there for a while, and just kind of take inventory, see how everything's going, see if, what kind of juicy stuff you have on your information, on your network, and do some reconnaissance. They don't want to attack right away. They want to do it slowly, quietly, so that you don't know what's going on. In the background noise of your network, as chatty as it is, it just kind of is under the radar.
So you want to check mailbox delegation, and you want to check on rights to another mailbox. Those are two key things. And again, go into the person's mailbox. You can do these reports either through the GUI or through Powershell. And you want to see if someone has full access, and whatever delegation access they have there.
Phantom users-- you want to check for unused accounts in your organization. After the hack, the attacker may still have access to user's mailbox. They may also have access to SharePoint or OneDrive. So you want to make sure-- and this is also true for, if you allow people to invite guests to your SharePoint or OneDrive location. Have a regular, like once a month, every six months, have a regular process where you go through and do an inventory of those users on your accounts, and say, hey, who are these yes users? Do I still need them? Is it still active? When is the last time that person logged in? And if they haven't logged in a while, boot them off. And when somebody complains, you can put them back on. But there comes a day where your job is to protect the network. It's not necessarily to be extremely nice to everybody in the network.
Consider upgrading to it Azure Active Directory P2. Risky users in particular can be upgraded to a P2 license. It changes from a five day of logs to a 30 days of logs. And in particular, because bad guys usually like to wait and hide and take time, it gives you the ability to better investigate. It also gives you the ability to do geo-restrictions. I actually did this with one person in my office. He was going overseas. And when he came back, he was still getting some access from that location. I put it on a P2. So I was blocking all logins from anything but the United States.
So if you like the ability, if you're familiar with a firewall, where you probably had a geo-blocking ability that said, hey, I don't want people from Kazakhstan-- no disrespect intended. I don't want people from this location. I don't want people from that location. The P2 gives you that same ability, a geographical restriction. And again, you can mix and match. So you can have your CEO, who always gets attacks from other locations, he can be on a P2. And he can be geo-blocked for certain locations.
Want to add a verification for transfers. Now, this is where I step away from the technology and say, you know what? There's times when technology is wonderful. And there's times when, go back to the old fashioned human. Especially right now, with COVID-19, where we're all working from home, where we can't walk down the hallway and say hey, Joan, did you mean for me to change that ACH transfer account? And she says, oh no! When we're so much relying on email and texting and Teams and all this stuff, stop. Don't use the technology. Put in place processes to say hey, pickup a old fashioned phone. Call that person say, when there's a transfer that involves more than x number amount-- $20,000, $30,000, whatever is a huge amount of money in your neck of the woods-- have that be actually approved the old fashioned way, with a phone call to another person.
So have an agreed upon word or phrase. Have the bank be on the alert for scams as well. Contact your bank. They usually have processes in place, some sort of additional verification process that you can turn on, something that will slow the process down, so that the attackers can't come after you.
Recommendations from the FBI-- you want to verify the legitimacy of the ACH forms. You want to verify this with secondary methods. Gets back to calling old fashioned, talking to the human. They note that the presence of legitimate employee's name in an email account is not necessarily enough to verify the email's legitimacy. Again, if-- empower those people that are handling funds to say hey, if something doesn't seem right, stop. You don't have to be so helpful. It's OK. It's OK to be protective of our organization. I will love you to death if you slow down an email, if you stop, and you stop a business email compromise.
So don't be so helpful. Think of that. Key takeaways, add multi-factor. Let me repeat that again. Add multi-factor. The single most thing you can do to help your Office 365 organization to not be attacked is to add multi-factor authentication. It's an education thing. Have some documentation. Have education to your users. But so, so key to have multi-factor. You want to add a P1 better manage logging and exposed user log in to yourself. You want to mix those match those Microsoft 365 licenses. Have an E5. Have an E3. Have a kiosk license for those people that don't need it.
Take the time right now with, with COVID-19, and budget crunches, and things like that. Go through and re-evaluate licenses everybody doesn't have to have the same license you can mix the match. They just have to make sure that you have only those people doing that thing. So the kiosk people can't have a desktop Office install. But mix and match those licenses to better secure you.
There's two resources I highly recommend that you look at. Number one, for consultants, a gentleman, Alex Fields, runs a site called IT Pro Mentor. And he has a best practices checklist. Even if you aren't a consultant, even if you're just running your own firm, I highly recommend you go through those best practices checklist. The second organization is CISecurity.org. They have a free Microsoft 365, Office 365 checklist. It goes through step by step, and tells you what their recommendations are, what it will impact. It's a very, very comprehensive, community based checklist. You do have to sign up with their organization. You have to provide an email address in order to download it. But it is a free download. So I highly, highly recommend ITProMentor.com and CISecurity.org is two places that I go for resources.
Again, I'm going to be a broken record. Two factor authentication. Can be set up with the Microsoft Authenticator app. Can be set up with the Google Authenticator app. Can be set up with text messaging. Can be set up with an office callback. Anything that gets you out of that low hanging fruit means the attackers go on to somebody else.
If you can't do anything else, if you get people pushing back, at least, at least have your administrators in your office have multiple factor. Start there. You know you can beat up on each other, yourself, administrators, and get them on multi-factor. Have you do it first, if you're an administrator in the firm. Do it first. Get all of your ministers on it. And then take the time to move it down lower down, to where everybody is on multi-factor.
And with that, if anyone has any questions, I'm open to questions. We have about 10 minutes left, and I want to make sure I did have time for questions.
Yeah, we have a question and already. So folks, you can put your questions in the Q&A, and we will read those aloud, and then get those answered for you. So two questions came in. One, though, was specifically about the slides. Yes, we will make the slides available afterwards. I will send those out here shortly. They'll come from my email address. So just pay attention to that.
We also put this recording on theexpertsconference.com website. So you could go there. It'll probably take a couple of days to get it up, only because I've got some folks out on vacation this week. So I'll read the question that we have here. Someone says, our configuration is VPN for company data and directed to Microsoft for Office 365/ what suggestions can you provide to secure Office 365 without mandating access via VPN?
So it depends on how your organization is up. I mean, here in my office, I don't do VPN. We do party gateway. I know other people that use Office 365, and they use the cloud services. So I have a good friend. And she has, she's a consultant, Amy [INAUDIBLE]. I believe she's going to be speaking at the TEC Conference in November as well. And she has quite a few organizations that have gotten rid of Active Directory. And they have no domain. And their domain, and I put quotes around that, is their Active Directory, Microsoft 365. And so all of the data is up in, either instance SharePoint, or it's in the OneDrive. And that's how they've flipped their organization.
And your next presentation at the TEC talk is actually going to be talking about that. After you've moved email to the cloud, what about the rest? So it's a big change. A lot of it has to do with where are your applications, your day to day business applications? A lot of minds still are on the desktop. That's changing. I can see in the next five years-- it might even be sooner. One thing we've seen with COVID is, COVID has dramatically increased the push to the cloud and the push to alternative ways to do to do our work.
My thought process is in the next five years, I'm probably not going to be able to buy desktops versions of what I'm using right now. My vendors will only do cloud versions. So it's a matter of, if you're in a business decision maker role, I have, my decision I make now, and I have my five years down the road kind of view. My decision I'm making now, since obviously, you're your line of business applications are currently on a VPN, you do what you have to do. I would suggest, if you haven't done so already, the split tunnel, where you still go back to your office for the data. But if you're patching Office 365, you let that go to Microsoft Update on the local machine.
What do we mean by that is for many, many years, the old fashioned thought was everything should go back to the home office. Data, patching, you name it, the whole hype of the workstation from home should go back over the VPN. That puts a lot of data, a lot of traffic on that VPN. These days, the best practice recommendation is to split that. Your data goes over the VPN. Your Office 365 patching goes over the Microsoft Update pipeline. And there's, if you don't see-- I don't have them in this presentation. But if you go, just Google on split tunnel VPN for Office 365, you'll see a ton of Microsoft guidance on this.
It is no longer seen as this horrible thing of security. We've realized today that with everyone being on the web, with so much of our internet being around us, it's no longer-- you don't have to go back to the office to protect. You can put in place things on the workstation. You can put Defender. You can put endpoint protection on those home workstations to still protect them while they're doing the split tunnel.
Going forward, in the next five years, I would say, look at that plan going forward and say hey, where are we going? Where's our applications going? Are they moving to the cloud? Are they getting to where the desktop is meaningless, and all you have to have is some sort of device that gets to the web, and then your data is up there? So I'm not giving you an exact answer. I'm giving you a do the best you can for now. For now, I would say, split tunnel. For the future, I'd say think about where you're going to be in five years. Is it going to be full cloud? Is your data going to be in Office 365 completely? And stay tuned until the next TEC talk.
Excellent. I was able to capture, I think, most of what you said, at least the concepts of it, and put that also in the Q&A. So if you have any other questions, please put those in there now. Susan, one thing I'd like to comment on is, I liked what you said about removing the low hanging, removing yourself from the low hanging fruit for attackers by turning on two-factor, multi-factor authentication.
You know, it seems like most criminal activity is because an opportunity was created. And c when you're turning two-factor, you're removing that opportunity and making it much harder. I think there's a lot of truth to that, from locking my doors on my car, to turning on two-factor. I think it's the same concept, for sure.
Literally-- I'm going to bring in something off topic. Literally, just the other day in my city, we had a gang of about 10 individual youths walking down a city street, and with cars parked in them in the driveways, and literally just going down the street, checking for open doors. And if they didn't find an open door, they walked on.
And it was a little chilling to see, because people were getting these shots on Ness cameras and ring cameras, as 10 youths were walking down the street. And it's the same concept as the low hanging fruit. If a door was opened, they would have stopped and said hey, I can probably do something. But because the doors were locked, they went down the street.
Excellent. One question I have-- I asked this to you last week, when we synced up. Microsoft 365-- sorry, Teams, Microsoft Teams-- is there any opportunity for scamming to happen via Teams, if you've got like open federation, and the opportunity for someone to reach out via Teams and pretend like they're a vendor?
Absolutely, and that's-- one of the recommendations goes, Teams, OneDrive, all of those, you want to go back. You want to set a schedule where you go back through and look at guest users. Well, I should back up a little bit. First off, you want to decide if you want guest users. So that's your first decision. Some organizations don't want to have guest users. My firm, I do not have guest users in my Teams. If I'm going to have Teams, I'm going to have it outside of my firm organization, so that there's no-- I can tell immediately if there's a scam or not.
For other organizations, you can't do that. So what I'd recommend there is, again, set up a schedule where you review the guest access. You have a process where you approve the guest access. Who gets the right to invite people? Usually, Teams and even SharePoint is set up pretty loose goosey. And there is a whole-- Google out on this on SharePoint rules and SharePoint federation and SharePoint governance, is the word I'm looking for.
There's a whole other conference. In fact, there were several presentations at the last TEC talk, about governance. And before you roll out technology, you want to take a step back and say hey, do I really want to have this and this and this happen? So the first step is governance. Do I want to have guest users? If I do want to have guest users, who gets the ability to invite those? Who makes the decisions?
You probably don't want to have everyone in your organization have the ability to invite people. You want to have a process. You may even want to do a Forms process. Forms is another Office 365 application. You can set up a custom form that gets filled out and be sent to somebody.
So if you want to have a request process, where person A has to request to person b that somebody be added, set up a form. Set up a process. Things don't have to be done immediately. You can take time to vet somebody and check somebody.
Excellent. Well thank you, Susan. I don't see any additional questions right now. I want to thank those folks for attending you for your time and attention. I will send out the slides afterwards. And then in a couple days, you can go to theexpertsconference.com and check out the recording as well.
Really great points here, Susan, for protecting your Office 365. Thank you for your time, and sharing your expertise with us. And good luck today on tax day.
I know, till midnight, yes.
Yes, good luck. Thank you so much, and thank you, everybody.