What are the risks for MS Teams and how to avoid them
The events of 2020 forced companies to embrace new reality – digitalization of operations extended to maxmum. With the introduction of restrictions on physical interactions, organizations ran a race against time to ensure that processes could be implemented with limited interpersonal contact. Without a doubt, the most critical process inside enterprise is communication. It is not surprising that the messenger of the leading office software provider – Microsoft Teams recorded an increase from 40 million users in March to 2020 to 75 million users in April of the same year.
Microsoft Teams is a powerful tool for supporting collaboration across departments, and even across organizations. However, the fact that this tool is quite open for users, raises concerns about the unhampered sharing of files and data between an unlimited number of users. The files themselves shared by Teams are in various MS locations, Exchange, Stream, Groups, SharePoint, and OneDrive for Business. In short, as a tool for communication and data exchange, MS Teams creates the conditions of concern about using this application.
Fortunately, Teams benefits from integrating with key elements of Microsoft’s security framework:
- File sharing is powered by SharePoint.
- Team chats are stored in a dedicated (hidden) group inside mailbox in Exchange Online.
- Azure Active Directory (Azure AD) stores and manages data and identities. It also manages user authentication for Teams as a whole.
Basic security controls that are set up when deploying Teams typically include:
- Azure AD authentication configuration for user sign-in to teams.
- Global security policy settings for Office 365 – Many settings are transferred to Teams or to SharePoint, OneDrive, and Exchange that work with Teams.
However, seeing of the scale of current threats, from increasingly advanced malware to insiders consciously acting against the enterprise, the basic protection mechanisms are insufficient. McAfee experts compiled a comprehensive list of threats and protection mechanisms that allow you to safely use MS Teams with their latest Microsoft Teams: Top 10 Security Threats report.
PROBLEM 1: EXTERNAL / GUEST USERS
Channel administrators can add people outside of your organization and grant them certain permissions. This makes it possible to upload a malicious file as an attachment or to exfiltrate the data.
Good security practices are:
- Control the list of domains of users who have access to your Teams.
- Create a clear boundary for internal communication channels and block them for users outside your organization.
- Apply (using appropriate solutions) filters on files and data transmitted via chat – as the second level of control, you can verify the domains of users between which communication takes place.
- Control Teams administrators with at least a separate report.
PROBLEM 2: UNKNOWN DEVICES AND LOCATIONS
Unknown devices or locations could indicate malware infection or hijacking by an unauthorized user.
Therefore, it is good practice:
- Limiting access and functionality due to the type of access device or location (IP addressing ranges).
- Introduction of an additional authentication method (MFA).
- Imposition of rules restricting downloading, uploading and sharing files.
PROBLEM 3: DATA EXFLITRATION THROUGH A SHARED SCREEN
Sharing screens can be invaluable when it comes to being able to work as a team. Unfortunately, it is also difficult to assess the scale of data filtered in this way from the organization, due to the lack of dedicated measures (and, in fact, limited possibilities in general) to protect this channel.
To prevent this type of leakage, it is worth focusing on:
- Raising awareness of cybersecurity in the organization through training and simulations.
- A solution that monitors user behavior and helps identify the so-called insider threats.
PROBLEM 4: MALWARE SENT BY TEAMS
Malware can be delivered via chat to infect the caller’s device. The key is that the administrator can control “input” files sent to the organization’s infrastructure (minimum north-south communication, outside the organization, but to have full visibility and avoid internal spread of threats – it is also worth monitoring the east-west traffic).
Depending on the platform, there are different security technologies:
- Cloud Access Security Broker (CASB) ¬¬– protects files sent to your cloud instance, also includes advanced options for resource access control, sharing, and anomaly detection of user accounts.
- Next-Gen Web Security Gateway – a response to the needs of companies gradually moving to the cloud – combining a secure web proxy with CASB and Data Loss Prevention. Comprehensive file protection not only in terms of possible malware but also exfiltration.
- In addition, technologies such as EDR, Secure Web Gateway, Next-Gen Firewall and good old antivirus significantly reduce the risk of damage caused by malware downloaded together with the file sent via chat.
PROBLEM 5: FILE SHARING OUTSIDE THE ORGANIZATION
The lack of control over who users share their shared files on a cloud platform is a serious problem. In addition to Data Loss Prevention (DLP) policies imposed on data stored in the cloud, it is worth considering the implementation of CASB to differentiate the level of access to files depending on the type of device or user location. We describe these issues in more detail in our article about CASB – HERE LINK
PROBLEM 6: INTEGRATION WITH OTHER APPLICATIONS
By granting applications rights to certain functions, we create new vectors of attack and data leakage. It is worth starting with an inventory of what applications are integrated with our MS Teams? How can we check whether our knowledge is up-to-date?
At this point, it is worth mentioning that MS Teams are not the only communication and cooperation tool. Therefore, consider whether your organization has general guidelines for the safe use of such applications.
PROBLEM 7: LACK OF VISIBILITY FOR NON-DISRUPTING USERS ‘BEHAVIOR
Access from a remote location, too wide sharing of files, downloading large amounts of data or downloading them outside working hours – each of these signals may indicate doubtful intentions of a trusted user or the takeover of his access data. Most CASB class solutions contain functionalities that allow to assess the risk level of user actions. So make sure your solution also has it.
In addition to the above-mentioned, there is also the issue of a uniform security policy for various cloud environments and minimizing the time of incident detection and remediation. For example, in API-based solutions, the time of sending information about an event is sometimes crucial.
The aforementioned Microsoft Teams: Top 10 Security Threats by McAfee extends the above-mentioned security problems of MS Teams and concretes with:
- Additional challenges faced by organizations using not only MS Teams, but also other messengers.
- Methods and techniques of securing attack vectors.
- Technologies and their business case.
It is worth writing about business justifications referring to the beginning of the article – communication is a critical process in an organization, and the applications supporting it are essential.
In the era of a kind of communication “relaxation” caused by ubiquitous remote work, administrators must be more vigilant than ever. And supporting them solutions and functionalities, such as the mentioned CASB. Nevertheless, it is worth remembering that currently communication covers many channels and devices, and each cybersecurity solution contributes to increasing the level of its protection.