Analysis
Attacks and Vulnerabilities
CISA
News

CISA presses for accelerated switch by FCEB agencies to Modern Auth across Exchange Online

June 29, 2022
CISA presses for accelerated switch by FCEB agencies to Modern Auth across Exchange Online

The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on determining whether and to what extent organizations are using Basic Authentication (Basic Auth) in Exchange Online. It also provided details on how to switch to Modern Authentication (Modern Auth) before Microsoft begins permanently disabling Basic Auth on Oct 1, 2022.

While “this guidance is tailored to Federal Civilian Executive Branch (FCEB) agencies, all organizations should take urgent steps to switch to Modern Auth before October 1,” CISA said in its post. Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth. After completing the migration to Modern Auth, agencies should block Basic Auth, it added. 

The guidance said that CISA urges all organizations to expedite migration to Modern Auth, as Basic Auth does not support multifactor authentication (MFA), which is required for FCEB agencies. The move comes following U.S. President Joe Biden’s Executive Order 14028, issued in May last year, which focuses on advancing security measures that reduce the risk of successful cyber attacks against the federal government’s digital infrastructure.

Microsoft has also disclosed that over 99 percent of password spray attacks use legacy authentication protocols, and over 97 percent of credential stuffing attacks use legacy authentication. Furthermore, there are 921 password attacks every second, nearly doubling in frequency over the past 12 months. Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled.

Basic Auth is a legacy authentication method that requires the user’s password to be sent with each authentication request. Protocols that can use Basic Auth include Post Office Protocol/Internet Message Access Protocol (POP/IMAP), Exchange Web Services (EWS), ActiveSync, and Remote Procedure Call over HTTP (RPC over HTTP). 

Organizations must review Azure Active Directory (AAD) sign-in logs to identify applications and users authenticating with Basic Auth to determine usage. They must consider that sign-in logs are retained for seven days for AAD Free and 30 days for AAD P1/P2 users, while the M365 G3 licenses include P1 and M365 G5 includes P2. To review sign-in logs, organizations must access AAD sign-in logs; click ‘add filters;’ then select the client app in the dropdown, then click apply. Subsequently, click the new client app bubble, and select all values grouped under Legacy Authentication Clients.

“Review the resulting values, which are applications and users that are using Basic Auth,” CISA said. “If too many values to review in the browser, download results as a CSV or JSON file to review offline,” it added.

For blocking usage of Basic Authin Exchange Online, agencies can implement either of the two primary methods – create an authentication policy in Exchange Online, or create a Conditional Access policy in AAD. Additionally, agencies using Basic Auth to authenticate to on-premises Exchange Servers should also move to hybrid Modern Auth.

In the case of conditional access, policies block Basic Auth after authentication has occurred, as the policy is applied after the first factor is satisfied. Policies can be targeted to specific applications such as Exchange, users, or groups and can be configured via the AAD Admin Center.

Last week, the CISA held its third Cybersecurity Advisory Committee meeting, where members provided updates and key recommendations to CISA Director Jen Easterly on the work of its six subcommittees. These recommendations will now be reviewed by the director and provide a response to the subcommittee recommendations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base