Identify the more common threats to security and how to mitigate each threat.
Use the PKI features in the Windows Server operating system to protect the key data used for encryption for the TLS connections. The keys used for media encryptions are exchanged over TLS connections.
A distributed denial-of-service (DDOS) attack occurs when the attacker prevents normal network use and function by valid users. By using a denial-of-service attack, the attacker can:
- Send invalid data to applications and services running in the attacked network to disrupt their normal function.
- Send a large amount of traffic, overloading the system until it stops responding or responds slowly to legitimate requests.
- Hide the evidence of the attacks.
- Prevent users from accessing network resources. Mitigate these attacks by running Azure DDOS network protection and by throttling client requests from the same endpoints, subnets, and federated entities.
Eavesdropping occurs when an attacker gains access to the data path in a network and can monitor and read the traffic. Eavesdropping is also called sniffing or snooping. If the traffic is in plain text, the attacker can read the traffic when the attacker gains access to the path. An example is an attack performed by controlling a router on the data path.
Use mutual TLS (MTLS) and Server to Server (S2S) OAuth (among other protocols) for server communications within Microsoft 365 and Office 365, and also use TLS from clients to the service. All traffic on the network is encrypted.
These methods of communication make eavesdropping difficult or impossible to achieve within the period of a single conversation. TLS authenticates all parties and encrypts all traffic. While TLS doesn't prevent eavesdropping, the attacker can't read the traffic unless the encryption is broken.
The Traversal Using Relays around NAT (TURN) protocol is used for real-time media purposes. The TURN protocol doesn't mandate the traffic to be encrypted and the information that it's sending is protected by message integrity. Although it's open to eavesdropping, the information it's sending, that is, IP addresses and ports, can be extracted directly by looking at the source and destination addresses of the packets. Ensure that the data is valid by checking the Message Integrity of the message using the key derived from a few items including a TURN password, which is never sent in clear text. SRTP is used for media traffic and is also encrypted.
Spoofing occurs when the attacker identifies and then uses an IP address of a network, computer, or network component without being authorized to do so. A successful attack allows the attacker to operate as if the attacker is the entity normally identified by the IP address.
TLS authenticates all parties and encrypts all traffic. Using TLS prevents an attacker from performing IP address spoofing on a specific connection (for example, mutual TLS connections). An attacker could still spoof the address of the Domain Name System (DNS) server. However, because authentication is performed with certificates an attacker would not have a piece of valid information required to spoof one of the parties in the communication.
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all while thinking they are communicating only with the intended user. This scenario can happen if an attacker can modify Active Directory Domain Services to add their server as a trusted server, modify DNS configuration, or use other means to get clients to connect through the attacker on their way to the server.
Man-in-the-middle attacks on media traffic between two endpoints participating in audio, video, and application sharing, are prevented by using Secure Real-Time Transport Protocol (SRTP) to encrypt the media stream. Cryptographic keys are negotiated between the two endpoints over a proprietary signaling protocol that uses TLS 1.2 and AES-256 (in GCM mode) encrypted UDP or TCP channel.
A replay attack occurs when a valid media transmission between two parties is intercepted and retransmitted for malicious purposes. Use SRTP with a secure signaling protocol that protects transmissions from replay attacks by enabling the receiver to maintain an index of already received RTP packets and compare each new packet with packets already listed in the index.
Spim is unsolicited commercial instant messages or presence subscription requests, like spam, but in instant message form. While not by itself a compromise of the network, it's annoying in the least, can reduce resource availability and production, and can lead to a compromise of the network. An example is users spimming each other by sending requests. Users can block each other to prevent spimming, but with the federation, if a malicious actor establishes a coordinated spim attack, it can be difficult to overcome unless you disable federation from the partner.
A virus is a unit of code whose purpose is to reproduce more, similar code units. To work, a virus needs a host, such as a file, email, or program. Like a virus, a worm is a unit of code that reproduces more, similar code units, but that unlike a virus doesn't need a host. Viruses and worms primarily show up during file transfers between clients or when URLs are sent from other users. If a virus is on your computer, it can, for example, use your identity and send instant messages on your behalf. Standard client security best practices such as periodically scanning for viruses can mitigate this issue.
Phishing attacks are costly monetarily and to peace of mind. These attacks operate using tricking users into revealing information such as passwords, codes, credit card numbers, and other critical information, through fake website links, and attachments that appear innocuous but can download dangerous software with a click. Because many of these attacks target users, even high-value targets with a lot of access, they can be pervasive. However, there are anti-phishing strategies for both administrators and users.