Silversands Logo

Silversands Ltd, Albany Business Park, Cabot Lane
Poole, Dorset, BH17 7BX

Customer Portal
Accountancy firm taxed by external access vulnerabilities hero image

Accountancy firm taxed by external access vulnerabilities

This long-established firm provides tax and accountancy services across several sectors including sport, media and non-profits.

Technology used :

Conditional Access

Multi-Factor Authentication

Self-Service Password Reset

Accountancy firm taxed by external access vulnerabilities hero image
What is the background?
  • An accountancy firm relied on Conditional Access (CA) and Multi-Factor Authentication (MFA) to protect against malicious logins.
  • However, a malicious attack triggered an access control and external threat review
What were the findings?
  • Existing access rules were based primarily on user location
  • CA was not being applied to all users and login attempts
  • Many access attempts were from unmanaged or non-compliant devices
  • Password reset policies were not enforced
  • Similar policies were in place for Corporate and personal devices
  • Some users were not enabled for MFA
What were the recommendations?
  • Changes were proposed to improve the firm’s security posture
  • CA policies needed to be reconfigured based on best practice approach
  • Additional compliance policies needed to be created
  • MFA needed to be enabled for all users
  • MFA policies should use best practice

background

A recent malicious attack on this accountancy firm was identified and ultimately thwarted, but it triggered a general concern about the potential for bad actors to gain access to the firm’s services and data. Considering that many of the security solutions had been implemented several years ago, the partners wanted to be sure that the protections which were currently in place were still relevant in today’s hybrid working world and operating effectively.

In the first instance, an analysis was undertaken so that we could understand the existing configuration and use of the Microsoft Intune Conditional Access (CA) and Multi-Factor Authentication (MFA) solutions, the primary targets of this particular review.  CA controls which devices can access the firm’s services, and how those devices must be configured to be valid. Using a specially configured mobile device that only the user has, MFA provides an additional login authentication step, which a malicious actor does not have.

More specifically, this analysis reviewed:

  • Access for managed and unmanaged Windows, non-Windows and mobile devices
  • Configured rules for allowing or preventing network and service access
  • User profiles and access requirements for different roles among the firm’s staff
  • The configuration of the MFA service
  • The Self-Service Password Reset configuration.
User login screen
Background
  • Conditional Access (CA) and Multi-Factor Authentication (MFA) is deployed
  • A malicious attack triggered an external threat review
<p><em>“Although this firm had a great level of security protection enabled, there can still be gaps that can be exploited by malicious actors. This is why it is important to regularly review the configuration of your security solutions to ensure that they are taking advantage of the latest configuration options and that they meet your current requirements.”</em></p>

“Although this firm had a great level of security protection enabled, there can still be gaps that can be exploited by malicious actors. This is why it is important to regularly review the configuration of your security solutions to ensure that they are taking advantage of the latest configuration options and that they meet your current requirements.”

Colin Gray, Account Manager, Silversands

findings and recommendations

From our analysis, and amongst other issues, we determined that:

  • In the 7 days before the review, over 140 users had managed to sign in without being challenged by Conditional Access
  • Two-thirds of those sign-ins were from unmanaged or non-compliant devices
  • There was no differentiation between corporate and personal devices
  • There was no consideration for guest accounts or privileged roles
  • Several users had not been assigned to use MFA
  • Password reset had a fairly weak set of requirements to allow a reset to be performed

These issues have been caused by several factors such as policies that are too broad, that don’t use key parameters like device state or compliance status and that don’t differentiate between corporate and personal devices.

Equally, not having MFA enabled for every account means that there are easy opportunities for bad actors to attempt to hack these accounts.

Ultimately, the clear conclusion that we can draw from these findings is that there are lots of opportunities for bad actors to bypass the access controls and policies that have been put in place, resulting in the potential for compromised accounts, data loss, reputational damage or even worse.

Hacker working in the dark

Based on our review and findings, we made several recommendations across CA, MFA and password reset, including:

  • Reconfiguring CA policies to cover more specific scenarios
  • Creating policies for corporate and personal devices with different configurations
  • Creating compliance policies to check devices have valid antivirus and patch configurations
  • Ensuring that all users are MFA-protected
  • Hardening the self-service password reset requirements
  • Adding Privileged Identity Management to enhance protection for admin-level access
Person blocked from login by failed MFA

Benefits

The benefits gained by these recommended changes will be significant:

  • The opportunities for malicious actors to gain access through device manipulation or compromised user logins will be removed
  • Devices with incorrect or compromised configurations (such as disabled antivirus) will be denied a connection
  • Personal devices will be treated with much more suspicion than corporate devices
  • Admin-level accounts will be much more secure
  • The firm will be generally better secured against external threats

The firm has taken our recommendations on board and immediately made several changes to the configuration of the various services. It is fortunate that the many holes we found had not been exploited to date.

Of course, access control is only one part of an organisation’s security protection, and we continue to work with this firm to identify other areas of weakness and threat opportunities.

Findings
  • Existing access rules were limited in scope
  • Conditional Access not applied to all scenarios
  • Unmanaged or non-compliant device controls were poor
  • Same policies applied to corporate and personal devices
  • MFA not enabled for all users
  • Password reset policies not enforced
<p>“While there are many external threats to any organisation, two of the main defences are Conditional Access and Multi-Factor Authentication. However, if these are incorrectly configured or have bad policies, they may as well not be there. Therefore, it is extremely important to make sure these services are designed properly and regularly reviewed to ensure continued protection.”</p>
<p> </p>
<p>Mark Ison, Lead Device Management Consultant, Silversands</p>

“While there are many external threats to any organisation, two of the main defences are Conditional Access and Multi-Factor Authentication. However, if these are incorrectly configured or have bad policies, they may as well not be there. Therefore, it is extremely important to make sure these services are designed properly and regularly reviewed to ensure continued protection.”

 

Mark Ison, Lead Device Management Consultant, Silversands

Recommendations
  • Several policy and config changes were proposed
  • CA policies needed modification inline with best practice
  • Additional compliance policies were required
  • MFA coverage needed to be improved
  • Self-service password reset need to be hardened