Microsoft 365 Copilot is a powerful tool that can help users write faster and better by providing suggestions and insights based on the context and content of their documents. Copilot uses artificial intelligence to learn from the data that users have access to, such as files, emails, chats, and web pages, and generates relevant and coherent texts that can improve productivity and creativity.

However, Copilot also poses some challenges and risks for businesses that lack appropriate governance for their data, especially when it comes to sensitive information. Without proper data classification, protection, and monitoring, Copilot can potentially expose confidential or regulated data to unauthorized users or leak it to external parties. This can result in legal, reputational, and financial damage, as well as loss of trust and compliance.

What are sensitivity labels and why are they important?

Sensitivity labels are a feature of Microsoft 365 that allow companies to classify and protect their data based on its level of sensitivity. Sensitivity labels can be applied to documents, emails, and other types of data, either manually by users or automatically by policies. Sensitivity labels can also enforce encryption, access restrictions, watermarks, and other protection actions on the data, regardless of where it is stored or shared.

Sensitivity labels are important for several reasons. First, they help organizations comply with data protection regulations, such as GDPR, HIPAA, or PCI DSS, by ensuring that sensitive data is handled appropriately and securely. Second, they help prevent data loss or leakage, by preventing unauthorized access, copying, or sharing of sensitive data. Third, they help maintain data quality and integrity, by preventing accidental or malicious modification or deletion of sensitive data.

By applying sensitivity labels to their data, companies can benefit from Microsoft 365 Copilot without compromising their data security or privacy. Copilot will respect the sensitivity labels and will not suggest or generate texts that contain sensitive information that the user is not authorized to access or share. Copilot will also not learn from or store sensitive data that is encrypted or protected by sensitivity labels. This way, organizations can leverage Copilot’s capabilities while minimizing the risks of data exposure or misuse.

What are the risks of not having sensitivity labels applied before enabling Copilot?

If companies do not apply sensitivity labels to their data before enabling Copilot, they may face several risks and challenges. Some of these are:

Copilot may ingest and learn from sensitive data that is not protected by sensitivity labels, such as personal information, financial data, health records, trade secrets, or intellectual property. This may result in Copilot suggesting or generating texts that contain sensitive information that the user or the recipient is not authorized to access or share. For example, Copilot may suggest a customer’s name, address, or credit card number in an email, or a company’s confidential strategy or financial report in a document. This may violate data protection regulations, breach confidentiality agreements, or expose competitive advantages.

Copilot may not respect the traditional SharePoint permissions that companies rely on to control access to their data. SharePoint permissions are based on the location of the data and the role of the user, and they do not apply to the content or the context of the data. Copilot, on the other hand, is based on the content and the context of the data. This may result in Copilot suggesting or generating texts that contain information that the user or the recipient is not supposed to see or know. For example, Copilot may suggest a project status, a budget, or a feedback item that is only meant for a specific team or manager, or a sensitive issue or problem that is only known to a few people.

Copilot may enable users to access sensitive information that they do not have access to in SharePoint, through prompt engineering. Prompt engineering is the technique of crafting specific queries or prompts that can elicit specific responses from Copilot. For example, a user may ask Copilot to write a summary of a document, a list of key points, or a question-and-answer session. If Copilot has learned from sensitive data that is not protected by sensitivity labels, it may reveal that information in its responses, even if the user does not have access to the folder in SharePoint. This may allow users to bypass SharePoint permissions and access sensitive information that they are not supposed to see or know.

How can Microsoft Purview and overall data governance help?

Microsoft Purview is a unified data governance service that helps companies discover, catalog, map, and classify their data across Microsoft 365 and other sources. Purview can help organizations apply sensitivity labels and other data protection policies to their data, as well as monitor and audit their data usage and compliance.

Purview can help avoid the risks of not having sensitivity labels applied before enabling Copilot, by providing the following benefits:

Purview can help discover and catalog data across Microsoft 365 and other sources, such as Azure, Power BI, SQL Server, or third-party cloud services. Purview can also help users understand the lineage, relationships, and quality of their data, as well as the business terms and definitions associated with their data. This can help identify and prioritize the data that needs to be classified and protected by sensitivity labels, as well as the data that can be safely used by Copilot.

Purview can help map and classify data based on its level of sensitivity, using predefined or custom sensitivity labels. Purview can also help apply sensitivity labels and other data protection policies to their data, either manually or automatically, using rules, conditions, or machine learning. This can help ensure that data is consistently and accurately labeled and protected, regardless of where it is stored or shared, and that Copilot respects the sensitivity labels and does not expose or misuse sensitive data.

Purview can help monitor and audit data usage and compliance, by providing insights and reports on how their data is accessed, shared, and protected across Microsoft 365 and other sources. Purview can also help detect and respond to data incidents, such as data breaches, leaks, or violations, by providing alerts and notifications, as well as remediation actions and recommendations. This can help maintain visibility and control over data and ensure that Copilot is used in a responsible and compliant manner.

Overall data governance is an essential prerequisite for implementing Microsoft 365 Copilot, as it can help maximize the benefits and minimize the risks of using Copilot. By applying sensitivity labels and other data protection policies to their data, companies can ensure that Copilot respects data security and privacy and does not suggest or generate texts that contain sensitive information that the user or the recipient is not authorized to access or share. By using Microsoft Purview and other data governance tools, organizations can discover, catalog, map, classify, monitor, and audit their data across Microsoft 365 and other sources, and ensure that their data is consistently and accurately labeled and protected.

Conclusion

Microsoft 365 Copilot is a powerful tool that can help write faster and better by providing suggestions and insights based on the context and content of company data. However, Copilot also poses some challenges and risks for businesses that lack appropriate governance for their data, especially when it comes to sensitive information. Without proper data classification, protection, and monitoring, Copilot can potentially expose confidential or regulated data to unauthorized users or leak it to external parties.

To avoid these risks, companies need to apply sensitivity labels and other data protection policies to their data before enabling Copilot. Sensitivity labels can help classify and protect data based on its level of sensitivity and ensure that Copilot respects the sensitivity labels and does not suggest or generate texts that contain sensitive information that the user or the recipient is not authorized to access or share. Companies also need to use Microsoft Purview and other data governance tools to discover, catalog, map, classify, monitor, and audit data across Microsoft 365 and other sources, and ensure that data is consistently and accurately labeled and protected.

By following these best practices, organizations can benefit from Microsoft 365 Copilot without compromising data security or privacy. Copilot can help improve productivity and creativity, while data governance can help maintain compliance and trust.

Should your business require assistance with integrating Copilot into your systems, please feel free to contact us.

Navigating the Intersection of AI and Cybersecurity: Risks and Opportunities

The advent of artificial intelligence (AI) has brought about a paradigm shift in various sectors, including cybersecurity. While AI can significantly enhance threat detection and response, it also introduces new vulnerabilities and attack vectors. The potential risks and challenges of AI attacks stem from their sophistication and speed, which can outpace traditional security measures. AI-powered attacks can exploit data, manipulate algorithms, and even autonomously conduct operations that blend in with regular activity, making them particularly difficult to detect and mitigate.

Examples of AI attacks include:

• Prompt Injection
• Evasion Attacks
• Training Data Poisoning
• Weaponized Models
• Data Privacy Attacks
• Model Denial of Service
• Model Theft

Strengthening AI Security: Best Practices for Businesses

Businesses must be vigilant and proactive in protecting themselves against these threats. Implementing defensive AI is crucial; it can analyze patterns and anomalies in data to identify potential threats in real-time. Additionally, businesses should ensure that their AI systems are transparent and have robust oversight mechanisms to prevent exploitation. Regular security audits and system assessments can help identify and address vulnerabilities. Employee training is also essential, as human error can often be the weakest link in security.

Moreover, businesses should adopt multi-factor authentication (MFA) to regulate access to AI-based tools and systems. Filtration and moderation techniques can prevent the dissemination of malicious content generated by AI-powered tools. It is also advisable to stay updated on the latest threats and to leverage “temperature flags” that can indicate suspicious activity. Building out in-depth defense measures, securing AI-based applications, and following AI application security best practices are all steps that can be taken to fortify a company’s defenses against AI attacks.

The Ultimate Defense

Virtuas employs a multi-layered approach to safeguard its clients’ networks against AI-driven cyber threats. At the forefront, Palo Alto firewalls serve as the initial line of defense. Renowned for their robustness and advanced threat detection capabilities, these firewalls effectively filter incoming and outgoing traffic, preventing unauthorized access and malicious activities.

In addition, Virtuas leverages Microsoft Defender for Business and Defender for Endpoint. These Endpoint Detection and Response (EDR) solutions provide real-time monitoring, threat intelligence, and incident response. By analyzing endpoint behavior, they swiftly identify and mitigate any suspicious activities, ensuring comprehensive protection for client devices.

Recognizing that email remains a prime vector for cyberattacks, Virtuas recommends Proofpoint as an essential layer of defense. This email security solution employs advanced threat detection algorithms, sandboxing, and URL rewriting to prevent phishing attempts, malware distribution, and other email-based threats. By combining these defenses, Virtuas fortifies its clients’ digital infrastructure, safeguarding critical data and maintaining business continuity.

Palo Alto firewalls, Microsoft Defender, and Proofpoint can leverage AI to be more effective in fighting against cyber-attacks.

To prevent human error, Virtuas has a proven track record of providing phishing awareness training to numerous clients. Our proactive and transparent approach involves close communication with client users. Whenever we identify practices that deviate from industry best practices, we promptly offer advice to ensure robust cybersecurity. Are you worried about AI attacks affecting your business? Contact Us.

Securing the AI Frontier

While AI presents significant opportunities for advancement, it also necessitates an innovative approach to cybersecurity. Businesses must balance the benefits of AI with the risks it poses and develop comprehensive strategies to protect against AI-powered cyber threats. Utilizing Palo Alto’s firewalls, Microsoft’s Defender, and Proofpoint, are just a few ways businesses can protect themselves from these cyber-attacks. By leveraging AI for defense, ensuring transparency and oversight, conducting regular audits, training employees, and implementing robust security measures, businesses can mitigate the risks associated with AI attacks.

What is Continuous Access Evaluation and Why do Organizations Need it?

Continuous Access Evaluation is a mechanism that offers real-time evaluation of Conditional Access policies for certain apps, such as Exchange Online, SharePoint, Teams, and Microsoft Graph. Continuous Access Evaluation enables these apps to revoke tokens in near real-time in response to network change events noticed by the app, such as IP address changes, device state changes, or user risk changes.

This means that if an attacker steals a token from a legitimate user and tries to use it from a different location, the app will detect the location change and block the access, preventing data leakage or compromise.

However, Continuous Access Evaluation has a limitation: it only works for apps supporting it. For apps that don’t support Continuous Access Evaluation, such as legacy or third-party apps, the token will still be valid until it expires or is revoked by Azure AD. This creates a window of opportunity for attackers to exploit the token and access resources that are not protected by Continuous Access Evaluation. That’s where Strictly Enforce Location Policies comes in.

What is Strictly Enforce Location Policies and How Does it Work?

Strictly Enforce Location Policies is a new enforcement mode for Continuous Access Evaluation used in Conditional Access policies. This new mode provides protection for resources, immediately stopping access if the IP address detected by the resource provider isn’t allowed by Conditional Access policy.

This option is the highest security modality of Continuous Access Evaluation location enforcement and requires that administrators understand the routing of authentication and access requests in their network environment.

When organizations enable Strictly Enforce Location Policies, they must ensure that all IP addresses from which the users can access Microsoft Entra ID and resource providers are included in the IP-based named locations policy. Otherwise, a user might accidentally be blocked.

Organizations can use the Continuous Access EvaluationWorkbook or Sign-in logs to determine which IP addresses are seen by Continuous Access Evaluation resource providers and configure policies accordingly.

How Can Organizations Benefit from Strictly Enforce Location Policies?

By using Strictly Enforce Location Policies, organizations can achieve the following benefits:

1. Reduce the risk of token theft and replay attacks by enforcing location policies at the resource level. This prevents the attacker from accessing sensitive data or performing malicious actions on behalf of the user. This also reduces the impact of token expiration or revocation, as the token will be invalid as soon as the user changes their location.
2. Enhance security posture by applying the principle of least privilege and granting access only from trusted locations. This means that organizations can limit the exposure of their cloud resources to only the locations that are necessary for their business operations. This minimizes the attack surface and reduces the chances of data breaches or unauthorized access. This also helps organizations comply with regulatory or contractual obligations that may require them to restrict data access based on location.
3. Simplify compliance requirements by ensuring that data is accessed only from authorized locations. This means that organizations can easily demonstrate that they have implemented adequate controls to protect their data from unauthorized access based on location. This can help them avoid fines, penalties, or reputational damage that may result from failing to comply with data protection laws or standards. This can also help them gain trust and confidence from their customers, partners, and stakeholders that their data is secure and well-managed.

Conclusion

Strictly Enforce Location Policies is a powerful feature that can help organizations protect their cloud resources from unauthorized access. By using this feature in combination with Continuous Access Evaluation, businesses can achieve a high level of security and compliance.

However, this feature also requires careful planning and testing before deployment. Organizations must ensure that all authentication traffic towards Azure AD and access traffic to resource providers are from dedicated egress IPs that are known and allowed by policies.

Organizations in need any assistance or guidance on how to implement this feature can contact Virtuas.

Segment Networks to Prevent Lateral Movements

Serious threats can arise when malware has unlimited network access, leading to lateral movements. A lateral movement occurs when an attacker moves from one system to another in search of desired data. Segmenting networks is essential for enhanced security because network managers can better control traffic and limit access to sensitive data. Along with enhancing security, segmenting networks improves network performance and management.

Preserve Backups in Isolation

Having a separate set of credentials for backups adds a layer of security, reducing the risk of unauthorized access to the backup data. When organizations do not preserve backups in isolation attackers have a better chance of accessing backups after an attack on the primary system. Attackers can then manipulate or delete the backup data, rendering it useless for recovery.

Implementing Multifactor Authentication  

Implementing a Multifactor Authentication (MFA) process requires each user to have unique criteria to access a desired account. Enabling MFA decreases the chance of an account becoming compromised or impersonated. MFA has various notification types including text codes, email codes, and number matching. The recommended MFA notification type is number matching due to its increased security protection.

Number matching provides a unique number that gives additional security by ensuring that hackers cannot access a desired account through tactics such as MFA bombing or MFA fatigue attacks. To learn more about number matching MFA click here.

Perform Backups Regularly with Immutability  

Performing backups regularly ensure that data remains unaltered in the case of a cyberattack and protects from software bugs and human errors. Backups with immutability are recommended because once these backups are created, the data contained within them cannot be modified, deleted, or altered in any way. Creating a 3-2-1 backup strategy is recommended to increase protection measures and ensure data remains safe. The 3-2-1 strategy requires having three copies of data, on two different media types, with one copy offsite (preferably air-gapped) all of which increase protection.

Test and Update Recovery Plans 

It is critical to perform frequent tests to identify Recovery Point Objectives (RPOs) and Recovery Time Actuals (RTAs) and to ensure high-priority data and applications are defined. Testing will allow IT staff to verify that recovery procedures and technologies are working as expected. Following testing, implement changes or updates to cybersecurity plans to ensure organizational data is protected.

Additional Steps

At Virtuas, we implement these six concepts with our clients to increase protection against cybersecurity threats. Additional measures to improve protection include: understanding data thoroughly, installing antivirus protection, ensuring up-to-date patches, and conducting employee security training.

Does your organization need help to protect against a cyberattack? Contact us at Virtuas for all your cybersecurity needs.

Multifactor Authentication (MFA) adds a layer of security protection by requiring users to provide information beyond a password when they try to log into their account. Microsoft utilizes and recommends number matching notifications for its MFA services, an upgrade from traditional two-factor notifications. Users are sent a unique number they need to type into the Microsoft Authenticator app before they access their account.

Other forms of MFA include text-message and email codes, but they are overall less secure. Text-message and email code notifications lack the uniqueness that number matching provides which puts the users accounts at risk. The unique number provides additional security by ensuring that hackers cannot gain access to a desired account through tactics such as MFA bombing and MFA fatigue attacks. Due to the increased security risk, Microsoft will soon enforce number matching notifications for all Microsoft Authenticator users.

What is Happening?  

Until now, the Microsoft Authenticator app would send a simple push notification and allowed for admin control and enforcement for what notification type was being used. Users could choose if they wanted to use number matching or a different type of MFA notification. Starting on May 8, 2023, Microsoft is removing the admin control and enforcing the number match experience for all Microsoft Authenticator push notifications.

Number matching is the most secure form of MFA notifications and organizations are faced with an increased risk of a cyberattack when using other forms. Wanting to decrease the risk of attacks, Microsoft is taking matters into their own hands and enforcing the most secure form of MFA notifications for all users of their authenticator app.   

Why is Number Matching for MFA Being Enforced? 

While all MFA notification types have provided additional areas of protection for organizations accounts, attackers have found ways to override the system. By using a technique such as MFA bombing and MFA fatigue attacks, attackers are able to bypass traditional security methods.

MFA bombing which leads to MFA fatigue attacks, allows attackers to send large numbers of authentication requests to an online account. With the help of automated tools and sometimes stolen credentials data, attackers are able to send out thousands of notification request. The hope is the user will get so overwhelmed by the bombardment of MFA notifications that the user selects “allow” to make the notifications stop. Once the user allows access into their account, hackers can gain access to the desired system often installing ransomware and holding data hostage in exchange for money.  

MFA bombing and MFA fatigue attacks are preventable when number matching as the notification type. The unique number provided with number matching increases protection for users. Other forms of MFA notifications lack the uniqueness which puts individual accounts and organizational data at an increased risk. The number provided is almost impossible to duplicate which ensures that organizations are protected from these attacks. Unlike with text and email codes, attackers can no longer send out thousands of automated requests that bombard users in an attempt to access a desired account.

As cybersecurity risks increase, organizations must adapt and become more vigilant when protecting their data. Microsoft understands the risk from not enabling number matching, which is why they are enforcing it starting on May 8, 2023.  

What Can Your Organization Do? 

Although organizations have until May 8th to enable MFA number matching, we have already been rolling out number matching for our clients. We recommend working with our team to schedule the transition before it’s enforced on May 8th to ensure your organization has increased protection against cybersecurity attacks.

Contact us at Virtuas for assistance enabling number-matching notifications and for all your cybersecurity needs.

What Is Log4j?

Log4j is a popular java open-source logging library used in countless applications across the world. Its lightweight framework allows developers to create a log of everything an application has done for the purpose of debugging.

What is the exploit?

Log4j allows logged messages to contain format strings that reference outside information through the Java Naming and Directory Interface (JNDI). If someone sends the library a message in the form of a special string of characters, it enables attackers to perform remote code execution, which means they can run any code and access all data on the affected machine.

Who is affected?

The full scope of this exploit has not been fully uncovered, but the impact is wide and far reaching. New information is being actively reported, and you can view an active list of affected vendors and their responses here.

Virtuas Response

Our managed services clients have properly configured firewalls with threat protection that prevents this exploit from outside attackers. Virtuas has assisted clients to identify any affected systems and promptly applied the necessary updates to improve the security posture.

If you are not currently a customer and need assistance with this threat or any other, please contact us.

Virtuas does not use any Kaseya products, so we are not affected. The Kaseya VSA software is relatively popular, so we urge caution over the next few months as the data harvested may be used in phishing campaigns against the suppliers and customers of those impacted by this attack.

If you know a company that was affected and requires assistance, please contact us.

Virtuas has many tutorials on Microsoft 365 applications. Watch our playlist and subscribe to our channel to see more tutorials!