Audit and Assurance

Expand all | Collapse all

Office 365 audit program

  • 1.  Office 365 audit program

    Posted 13 Aug, 2019 14:25

    Hi All,

    I am planning for  a Office 365 audit .Would appreciate any guidance, audit program .

    Regards

    Daniel



    ------------------------------
    Daniel Castillo 
    IT Auditor
    ------------------------------


  • 2.  RE: Office 365 audit program

    Posted 14 Aug, 2019 05:58
    Do t do it ... it's a trap!

    Just start creating issues for data exfiltration, use of non secure ports to support federation, and developers saving public - private key pairs on an unencrypted/ excel file..  Also logging outside of your DMZ just won't happen unless you're a ... "unicorn". The key is to nail down your controls vs Microsoft controls and go from there.  Finally make sure they are using MFA on root accounts; if not call them or visit personally every single day until they do. There is no right or wrong in an O365 assessment, only stress. Best of luck!

    ------------------------------
    James Arnold
    EIS Third-Party Cyber Risk Manager
    ------------------------------



  • 3.  RE: Office 365 audit program

    Online Forum Topic Leader
    Posted 14 Aug, 2019 14:32
    @Daniel Castillo Valdes,

    The US DoD STIGs may help with this https://public.cyber.mil/stigs/downloads/?_search_stigs=office%20365

    Best Regards,

    Ian​

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 4.  RE: Office 365 audit program

    Posted 14 Aug, 2019 17:02
    @Daniel Castillo Valdes

    You could use the CIS Office 365 benchmarks available at https://www.cisecurity.org/benchmark/microsoft_office/.  The drawback, a minor one, is that it does not trace clearly the audit goals to the subscription plans.  It is still in draft version but there is enough material for you to plan your own assessment.  Actually, I will be doing one very soon using the benchmark as a reference.

    In addition to the above, I also created the following additional ones based on security advisories and blogs that I read.

    Category

    Objective

    Rationale

    Procedure

    Email

    Ensure that  POP3 and IMAP in Exchange Online is disabled.

    IMAP (Internet message access protocol) is a legacy authentication protocol that makes it possible for an account to be accessed from multiple devices. It is often used by desktop email clients to retrieve email from the email server. Being a legacy protocol IMAP does not support multi-factor authentication which allows it to be bypassed by attackers.

    Source: https://www.helpnetsecurity.com/2019/03/20/imap-based-password-spraying/

    IMAP support is "on" by default on Office 365.   Use the following Exchange Online PowerShell commands to verify that POP3 and IMAP settings are disabled.

    1.  $creds = Get-Credential
    2.  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential   $creds -Authentication Basic -AllowRedirection

    3.  Import-PSSession $Session -DisableNameChecking
    4.  Get-CASMailbox
    5.  Remove-PSSession $Session

    The values for both PopEnabled and ImapEnabled must be False.

    Remediation: Use Set-CASMailbox cmdlet

    Email

    Ensure that Office 365 is configured to alert Users to emails received from external domains 

    Office 365 is the most widely used application for emails and is the prime target for phishing emails.  Phishing emails are widely used and are often one of the most successful ways cyber criminals gain access to business networks.

    Source: https://www.csoonline.com/article/3225469/office-365-phishing-attacks-create-a-sustained-insider-nightmare-for-it.html

    To verify that email is configured to alert emails received from external senders, from the Admin Center perform the following steps:

    1.  Exchange > mail flow
    2.  Verify that there is a rule for External messages

    Remediation: https://www.securit360.com/blog/configure-warning-messages-office-365-emails-external-senders/

    Email

    Ensure that Outlook Contacts synchronization of Facebook contacts is disabled.

    Office 365 is the prime target of phishing scams.  Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over sensitive information.  Social networking sites have made social engineering attacks easier to conduct.

    Facebook integration is enabled by default in Office 365 that could lead to a risk scenario where an external party could be accidentally disclosed sensitive information.

    Source: https://ontech.com/office-365-phishing/

    To verify that Facebook contacts synchronization is disabled, perform the following steps from Exchange Online PowerShell:

    1. Use Microsoft Explorer or Edge, Admin Center -> Exchange -> hybrid setup
    2. Click configure (step 1) to install Exchange Online PowerShell module
    3. In the PowerShell window, enter the command Connect-EXOPSSession -UserPrincipalName xxx@somecompany.com
    4. In the PowerShell window, enter the command Get-OwaMailboxPolicy  | select FacebookEnabled
    5. Verify that the value of FacebookEnabled property is False

    Remediation: Use Set-OwaMailboxPolicy cmdlet

    Email

    Ensure that Outlook Contacts synchronization of LinkedIn contacts is disabled.

    Office 365 is the prime target of phishing scams.  Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over sensitive information.   Social networking sites have made social engineering attacks easier to conduct.

    LinkedIn integration is enabled by default in Office 365 that could lead to a risk scenario where an external party could be accidentally disclosed sensitive information.

    Source: https://ontech.com/office-365-phishing/

    To verify that LinkedIn contacts synchronization is disabled, perform the following steps from Exchange Online PowerShell:


    1. Use Microsoft Explorer or Edge, Admin Center -> Exchange -> hybrid setup
    2. Click configure (step 1) to install Exchange Online PowerShell module
    3. In the PowerShell window, enter the command Connect-EXOPSSession -UserPrincipalName xxx@somecompany.com
    4. In the PowerShell window, enter the command Get-OwaMailboxPolicy | select LinkedInEnabled
    5. Verify that the value of LinkedInEnabled property is False

    Remediation: Use Set-OwaMailboxPolicy cmdlet



    I would recommend that you refer to the online documentation https://docs.microsoft.com/en-us/Office365/SecurityCompliance/plan-for-security-and-compliance for audit.

    Best,

    ------------------------------
    Richard Pais
    IT Compliance Manager
    ------------------------------



  • 5.  RE: Office 365 audit program

    Posted 14 Aug, 2019 17:13
    Edited by Richard Pais 14 Aug, 2019 18:03
    The following would depend on organizational policy regarding storage to external cloud-based Personal Storage.

    Category

    Objective

    Rationale

    Procedure

    Data Protection

    Ensure that 3rd party Storage Provider option is disabled.

    A new feature introduced in Outlook on the web is support for external storage providers such as Box, DropBox, Google Drive.  Though OneDrive for Business is not impacted by the change, as a good assurance practice verify that the option is disabled.

    Source: Microsoft notification dated 29-Jul-2019 

    To verify that external storage providers setting is not enabled, perform the following steps in Exchange Online PowerShell.

    1. Use Microsoft Explorer or Edge, Admin Center -> Exchange -> hybrid setup
    2. Click configure (step 1) to install Exchange Online PowerShell module
    3. In the PowerShell window, enter the command Connect-EXOPSSession -UserPrincipalName xxx@somecompany.com
    4. In the PowerShell window, enter the command Get-OwaMailboxPolicy
    5. Verify that the value of ThirdPartyFileProvidersEnabled property is False

    Remediation: Use Set-OwaMailboxPolicy cmdlet.



    ------------------------------
    Richard Pais
    IT Compliance Manager
    ------------------------------