Microsoft Entra ID is a cloud-based identity and access management service for applications like Office365 and Azure.

Entra ID Security Defaults

Security defaults are a group of settings that help protect your organization from emerging threats and cyberattacks like brute force attacks, password spraying, phishing, etc.

Security defaults include the following requirements:

• • Register a multi-factor authentication method (all users).
  • Log in using multi-factor authentication to access the Azure portal, Microsoft Entra admin center, Azure PowerShell, and Azure Command-Line Interface (all users and administrators).
  • Block legacy protocol authentication.

NOTE! Security defaults are free, while Conditional Access requires Entra ID Premium licensing (P1 or P2). Also, Conditional Access policies are fully customizable, security defaults are not.

Conditional Access Policies

Conditional Access policies have the potential to prevent any unauthorized access to sensitive data, considerably improving your security framework.

Administrators can control who has access to applications and resources based on certain conditions/criteria: user identity, device, location, and more.

This is how organizations usually operate today. Employees now work remotely, sometimes across different continents, in different roles and levels of access rights and privileges.

If your administrator logs in from overseas, his authentication process must be tighter than it would be in the office. Therefore, authentication security must be strict.

To give employees flexibility while addressing the diverse security requirements, a Conditional Access strategy is paramount. With it you can apply security measures to specific roles, locations, and applications for a robust and adaptable security posture.

Users, Target Resources & Conditions

The Users

Configure who is affected by the policy. You can include/exclude a group of users (e.g. Marketing department members), specific roles, and more.

Target Resources

User actions – Administrators can define policies based on user action. For instance, the user tries to register security information (MFA, password, etc.) or connect a new device to the tenant.

Cloud applications – Administrators can assign security controls to specific applications.

Authentication context – Administrators can configure authentication contexts which will be used to further secure data and actions in applications.

Conditions

Sign-in risk: This security feature enables administrators to control user access based on the likelihood of a fraudulent sign-in attempt.

User risk: It allows administrators who have access to Entra ID Protection to label users as risky if their activity is suspicious.

Location: You can approve or deny sign-ins based on the geographic location of the user.

Device platforms: Approve or deny access based on the operating system of the device used for login.

Client apps: You can approve/deny an authentication request based on the client application utilized for login. Unfortunately, legacy authentication apps can expose the user to identity frauds, brute-force attacks, etc.

Device filters: Approve or deny access based on the user’s device.

Conditional Access: Benefits

You can use Conditional Access controls to improve security and achieve compliance goals.

Location-based access: You can create trusted and untrusted zones, and you can apply access conditions. For example, you can enable multi-factor authentication for users logging in from home but skip the rule for all users who login from the headquarters.

Blocking unauthorized access: Allow access only to passwordless authentication methods to minimize the risk of compromised user accounts.

Identity and application granularity: You can create application/entity-specific policies to allow access in case of an emergency, under specific conditions.

Session controls: You may consider creating reauthentication policies for different roles within the organization. For instance, non-privileged users may be required to reauthenticate more often.

Compliance-based access: Allow/block access based on device compliance. This way you ensure that user devices meet minimum configuration requirements. For example, if a device used for authentication is marked as compliant in Entra ID, your controls can be less restrictive.

Final Thoughts

With proper Entra ID security controls, emergent cyberattacks are now preventable. On the other hand, Entra ID misconfigurations can impact your environment, so make sure to plan and partner with the right team for professional implementation.

Cross-site scripting, also known as XSS, is a web security vulnerability that enables hackers to manipulate user interactions with compromised applications. Through cross-site scripting, the perpetrator can impersonate a user, execute any actions the user is able to, also can access and manipulate their data. If the user has privileges within the application, the perpetrator may gain complete control over all functionalities and data associated with that application.

Briefly, cross-site scripting involves manipulating a website to run malicious scripts. When the code executes within the victim’s browser, the attacker can fully compromise the interaction with the application.

Types of XSS Attacks

There are three main types of XSS attacks.

Reflected XSS occurs when an application receives data in an HTTP request and includes that data within its response in an unsecure way.

Here is a simple example of a reflected XSS vulnerability:

https://website.com/status?message=Everything+is+fine.

<p>Status: Everything is fine.</p>

Instead, a hacker can easily perform an attack like this:

https://website.com/status?message=<script>/*+malicious+code+here…+*/</script>

<p>Status: <script>/*malicious code here*/</script></p>

If the user visits the URL generated by the attacker, then the perpetrator’s script executes in the user’s browser. At that point, the script can carry out any action and retrieve any data to which the user has access.

Stored XSS occurs when a vulnerable application receives data from a malicious source and includes that data within its subsequent HTTP responses. This data might be submitted via HTTP requests. For example, comments on a forum/blog post, usernames in a chat room, etc.

An example of a stored XSS attack is an application for exchanging text messages which allows users to submit any messages which are publicly displayed to other users, such as:

<p>Hello, this is my text.</p>

The application won’t perform any other verification over the submitted message, so the hacker can easily send a malicious message:

<p><script>/*malicious code here*/</script></p>

DOM-based XSS occurs when an application contains some client-side JavaScript that unsafely processes data from an untrusted source.

If the perpetrator controls the value of the input field, they can easily construct a malicious value to eventually execute their own script.

What can XSS be used for?

A hacker who exploits a cross-site scripting vulnerability is able to:

• Impersonate the victim user.
• Inject malware into a website.
• Perform any action that the user can perform.
• Capture the user’s login credentials or other sensitive data.

The impact of an XSS attack will depend on the functionality of the targeted application, the captured data, and the access-level of the compromised user.

So, in the case of a simple application where all users are anonymous and all information is displayed publicly, the consequences will be minimal. On the other hand, an application holding sensitive data, such as banking transactions or healthcare records will be massively impacted.

Also, if the compromised user has elevated privileges within the application, then the impact will be serious, allowing the hacker to take full control of the application getting access to users and data.

Test For Such Vulnerabilities

Testing for reflected and stored XSS involves submitting simple unique input – a short alphanumeric string into every entry point in the application and identifying where the submitted input is returned in HTTP responses. Next, test each location to find out if an input can be used to execute malicious scripts.

Manually testing for DOM-based XSS can be done by placing an unique input in the parameter, then using the browser’s developer tools to search the DOM for this input and testing it to determine whether it is exploitable. Other types of DOM XSS are harder to detect, but achievable with the right support team.

Prevention Methods

Preventing XSS vulnerabilities will involve a combination of the following measures.

In case user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as script.

Also, when the user input is received, filter as strictly as possible based on what data you expect to receive.

Make sure to utilize appropriate response headers. To prevent cross-site scripting in HTTP responses that aren’t intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses the way you intend.

Finally, one of the most effective measures for safeguarding the client side of your business is to implement a content security policy (CSP). This security measure can be easily integrated into any website, providing an additional layer of protection.

Regular IT security assessments identify and address any weaknesses in networks, systems, and applications, to protect the organization from potential cyber threats.

Such assessments are essential for organizations of all sizes.

Why Are Security Assessments So Important?

Security assessments are crucial because they objectively evaluate the state of security of an organization identifying potential security flaws, weak points, risk areas, gaps in security measures and also help businesses develop cybersecurity plans to address such weaknesses.

By reviewing and assessing current security measures, organizations will ensure that their policies and procedures are optimal and security focused.

The annual cybersecurity assessment is a critical process for any business also because it can determine additional security measures that need to be implemented to keep all networks and systems secure.

Identify Vulnerabilities

The first thing that needs to be done is to try to identify all the risks that could affect your business based on industry. This will help the designated team to assess the likelihood of an attack, the reasons behind it, and the level of impact. Afterwards, the team will have to document and track all these vulnerabilities.

Identify Internal & External Threats

Many types of cyber threats can affect your organization at any given moment. Therefore, it is essential to identify which threats are more likely to affect your organization, both internal and external.

NOTE! By understanding the vulnerabilities and threats similar organizations are facing, you can improve the IT security posture of your organization.

Determine Potential Impact

Determining, based on analysis, the likelihood of each threat and the potential impact it could have on your business is mandatory. This can be assessed by studying the occurrence of certain types of cyberattacks and the impact each attack has had or could possibly have.

Prioritize Your Resources

Next, you should prioritize your resources accordingly by tracking how often each type of threat occurs. It is crucial to develop and implement a cybersecurity strategy to include the best solutions and mitigations based on the type of cybersecurity incident.

Review Privileged User Access

Privileged user access audit involves a systematic evaluation of the access rights and permissions granted to privileged users within an organization’s digital infrastructure.

Assess Security Services

There is a plethora of IT security services available. However, every business is different and there is no one-size-fits-all strategy for cybersecurity. A professional IT security team can evaluate your needs and vulnerabilities and suggest the appropriate solutions according to best practices.

Assess Backup Services

Prioritize a backup service that offers both reliability and security and the features your business needs at affordable rates.

MFA/Passkey Assessment & Recommendations

For long-lasting security, it is vital to implement multi-factor authentication (MFA) across all user accounts and devices. By utilizing a combination of different authentication factors like biometrics or one-time passcodes, you will create layers of security that will make it harder for hackers to gain unauthorized access.

Regularly monitoring and analyzing authentication logs for suspicious activities will provide an additional layer of protection.

Review Patch Management

Patch management tasks include deciding what patches are appropriate, ensuring that patches are installed properly, thoroughly testing systems after installation, documenting all associated procedures, etc.

A comprehensive cybersecurity assessment involves accurately determining your systems’ patch status.

Scan and Test Your Environment

Performing a vulnerability scan will help identify risk and attack vectors across networks, hardware, software, and systems.  While a vulnerability scan uncovers risks, an internal and external network penetration test attempts to exploit those risks by trying to hack the network. Performing these scans and tests will help identify areas of improvement and investments needed to protect your infrastructure.

Don’t Settle For Good Enough

Unfortunately, cyber threats will never disappear, but by making cybersecurity a top priority, you will be able to safeguard your business assets both effectively and efficiently.

By identifying and documenting vulnerabilities, risks and likelihoods with regular cybersecurity assessments, you will be ahead of the game in protecting your organization from emerging cyber threats.

We can help you protect your sensitive data, implement proactive security maintenance as we perform vulnerability assessments and management to improve your IT security posture. Keeping your enterprise, your people, and your data safe is our commitment.

Stress and burnout caused by difficult situations, such as the pressure to understand and choose from all different cybersecurity solutions: multi-factor authentication, managed detection and response, mobile device management, DNS filtering, etc., can impact not only the decision-making process, but also the cybersecurity posture of your organization.

One of the reasons why managers get to a high level of security fatigue is because so many security solutions that were previously utilized by enterprises are now necessary for small and medium businesses too, in addition to regulatory and cyber insurance requirements.  To help mitigate supply chain attacks, customers are starting to ask their vendors about their internal security or even mandating specific security requirements for you to do business with them.

Software solutions are organizations’ primary course of action to mitigate cyber threats. Hackers are aware of this and capitalize on the psychological gaps in cybersecurity and the lack of professional guidance because often organizations integrate inappropriate technological solutions, don’t have a cybersecurity response plan, leave the human element vulnerable, etc.

Hackers put significant effort and resources to target the whales of the corporate world – the senior executives. After all, who has more access to systems and data than an executive.

Decision-Making Tips

IT security is constantly evolving, making security fatigue difficult to solve. Below are just a few security pointers executives should be aware of in order to prevent any intrusive tactics that would permit cybercriminals to gain illegitimate access to a business system.

• Ask for advice, for example, ask what the difference is between security services and how you should prioritize the services to best improve your security posture.

Sometimes, we think we must solve all problems internally, but reaching out to cybersecurity professionals for advice, people who bring valuable experience and judgment, will boost the likelihood of making well-informed decisions.

• Limit the number of decisions you take in a short interval.

This can be helpful for preserving your decision-making capacity.

• Avoid last-minute decisions.
• Prioritize and set deadlines for making decisions.
• Be aware of your judgment and biases.
• Learn from decisions you have made in the past.

Practice human-centered cybersecurity.

As cybersecurity continues to evolve, complexity increases, making it difficult for employees to manage and fully understand a system. The human-centered cybersecurity approach is crucial to ensure people are a centric pillar when developing systems, IT security policies, and so on.

Complex activities such as cybersecurity-related processes require deep focus on people and organizations when designing systems to ensure human performance does not deteriorate when interacting with modern technologies, security policy compliance, change management and regulatory guidance.

Facilitate and reward a culture of cybersecurity.

A viable solution to security fatigue is the creation and maintenance of a security-focused company culture.

Regular, high-quality cyber awareness training, the right threat detection and prevention tools, effective incident reporting channels, and offering rewards to proactive employees can all contribute to sustainable cultural change at your company.

In Closing

Decision and security fatigue can have serious cybersecurity related implications. By understanding how security fatigue operates and how to prevent it, you will be putting yourself in a better position to make optimal decisions.

Also, choosing the right cybersecurity solutions can be overwhelming. Collaborating with a managed security service provider (MSSP) is beneficial. MSSPs provide organizations with guidance and services that imply specific threat prevention, detection, and response methods and protocols to protect their business assets.

A brute force attack is just another hacking method where an attacker tries many password combinations or encryption keys until the right one is discovered. Basically, this method relies on the perpetrator’s skills and tools used to crack a password through multiple attempts to eventually get access to a system, account, database, or network.

Brute force is less sophisticated than other techniques. Once hackers gain access, they may steal sensitive data, install malware, disrupt services, etc.

NOTE! According to a 2021 Verizon security report, 95% of the monitored organizations were targeted by brute force attacks.

Attackers can use brute force attacks to:

Hijack Devices for Malicious Activity

Botnets, networks of compromised computers, can be utilized to speed up malicious activities.

Spread Malware

Gain control of a target’s system to use it as a launching pad for wider attacks against other connected networks or systems.

Exploit Activity Data

Perpetrators may place spam ads on popular websites, rerouting traffic to certain websites, testing network security or encryption protocols used by targeted organizations.

Steal Data

Hackers can steal data such as passwords, usernames, and PINs for illegitimate financial gains.

Damage Website or App

Ruin the reputation of an organization by damaging its website or app by altering confidential information, leaking data, or spreading false information online.

Types of Brute-Force Attacks

Understanding the most common types of brute-force attacks can help organizations take efficient protective measures.

1. Simple brute-force attacks

Hackers utilize automated software to test thousands of possible combinations to decode mainly passwords and PINs.

2. Dictionary attacks

Perpetrators crack password-protected accounts by using a list, a dictionary of common words and phrases – basically reused, common passwords.

3. Hybrid brute-force attacks

Cybercriminals combine automated software while using lists of common words to increase the success rate of the attack. They utilize automated systems as well as dictionaries which they constantly improve.

4. Reverse brute-force attacks

By utilizing common passwords, such as “password1” or “12345”, makes it easier for hackers to guess usernames. The attacker knows the common password and is trying to guess which username goes with it.

5. Credential stuffing

Hackers may use valid credentials that have been exposed in cyberattacks to access different accounts. This is possible because people tend to use the same username and password across multiple platforms.

6. PIN brute-force attacks

Such attacks are mainly utilized against mobile devices. An automated system can be set up to try tens of thousands of Personal Identification Numbers (PINs) until the correct one is found.

Signs of a Brute Force Attack

To prevent any unauthorized access and minimize the potential damage, businesses must deploy measures for early detection. Here are the most common signs you should be aware of:

• A sudden increase in failed login attempts, especially from a single or a few abusive IP addresses.
• Login attempts from unusual IP addresses.
• Suspicious web sessions from foreign countries.
• Several failed login attempts per user account.
• Login activity outside of working hours.
• Login attempts using simple passwords, such as consecutive numbers or common combinations.
• Locked out user accounts due to excessive failed login attempts.
• A sudden increase in network traffic, targeting a specific service or app.
• Inexplicable website or app load speed drop.

Prevention Methods

Brute force attacks are based on credential compromise, so requiring employees to create complex passwords is imperative. Implementing a Security Awareness Training program can help educate your employees on proper password hygiene.

Regularly check the web server log files to identify suspicious web sessions and remove abusive IPs from loading or accessing website resources.

On the account security side, do not use the same credentials over several accounts. Also, for all utilized apps, administrators should implement lockout policies to keep cybercriminals out of a system after too many incorrect login attempts.

Make the Zero Trust approach a priority and make sure your organization utilizes multi-factor authentication (MFA) across all applications and services. MFA is one of the strongest solutions for preventing fraudulent access.

In addition, implementing a Mobile Device Management (MDM) service like Microsoft Intune will allow you to manage user access to corporate devices and applications, ensuring you meet compliance requirements and proper passwords are being deployed.  This will help reduce the ability for hackers to gain control of your data.

At StratusPointIT we help organizations protect their assets against complex brute force attacks. For more relevant information, please contact us.