3

Earlier this year the Scottish parliament was attacked by what described as a “Brute Force” cyber-attack. It was said that the attack targeted “MSPs and staff with parliamentary email addresses”.

This article says “email accounts targeted in the attacks, which use the "parliament.scot" domain, are Office 365 accounts hosted by Microsoft” with brute force itself being described as "a fairly standard scanning attack on accounts, where a tool continually tries different passwords for given logins".

Although it was suggested that no accounts had been compromised during this attack, the attack was described as being similar to the attack that was carried out against the UK Government. In this instance accounts may have been compromised, International Trade Secretary Liam Fox said:

"We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails.”

Assuming they have Office 365 is set up with AD/Azure AD/DirSync, which is a fairly standard configuration, they will likely be forced to use the non-configurable default which is:

“After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon. After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period (60 seconds). Further incorrect passwords will result in an exponential increase (not fixed) in the lockout time period.”

If this fairly standard configuration has been successfully compromised, this could leave many org’s exposed with the exposure increasing in scale relative to the size of the target org.

My question is this:

Assuming 2 factor isn’t in use (for non admin accounts the default does not have it enabled) and the password construction policy is of average strength, let’s say a minimum of 8 characters, complexity enforced, forced resets after 60 days and a password history of 5 passwords.

Is this enforced and non-configurable Office 365 password policy secure enough for large public and private organisations from a practical point of view?

i.e. With X amount of accounts the risk of an account being compromised with this becomes Y.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • This seems like a balanced approach to me. Account lockouts are a denial of service risk. The CAPTCHAS give real humans logging in a priority. The escalating timer means a DoS attacker needs to be very, very dedicated if they want to lock the Scottish Parliament out of their email. The brute force scenario also assumes that attackers are ignored by MS' infosec team. They're no doubt regularly blocking hostile actors via behavior detection, honeypots, etc. – mgjk Aug 25 '17 at 09:47
  • 1
    Beware that frequent password changes pretty much guarantees that users will pick extremely weak passwords. [Password expiration is usually detrimental to security](https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security/5168#5168). – Gilles 'SO- stop being evil' Aug 26 '17 at 20:59
  • @mgjk Giving some of the wording around this, there is a chance that this policy may have been compromised, however we do not know the password policy that may have been in use when the potential compromised occurred. (If it did indeed occur at all.) If it did it would have been successful regardless of any action taken by Microsoft and the UK Government. – TheJulyPlot Aug 28 '17 at 13:29
  • @Gilles I’m not sure what the actual password history and reset polices are for the Scottish government or the UK government. They may well not enforce password resets every X days, I know NSCS recommend not to force resets every X days, so there is a chance this is the policy, especially for UK gov. The one mentioned was merely supposed to an ‘example’ password policy, to hang the question. – TheJulyPlot Aug 28 '17 at 13:34

0 Answers0