What we can learn from the Belgian police data breach

Boost your security with the Secure Configuration Framework for Office 365

A story you may have missed last year, hidden among all of the other stories about hacks, breaches and leaks, was the Belgian police force suffering a major data breach. In this incident, the perpetrators published data about parking fines, licence plates and even photos of abused children. The source of the issue? A weak password and lack of multi factor authentication (MFA).

Unfortunately, most of the coverage surrounding the incident contained no technical details and merely emphasised the poorly secured remote work system put in place. Far from a unique scenario.

Often, news coverage on these incidents rely on scare tactics and can make organisations reconsider their work policies. For example, they could still permit remote access but restrict the kinds of device that can be used, only allowing devices the organisation can control to gain access.

The company in question might decide to allow access, but only if the device meets a number of predetermined requirements, such as:

Ensuring the virus scanner is on and up-to-date
Enabling disk encryption
Supporting a Windows 10/11 version

However, rather than responding by removing access (and thus efficiency, flexibility, and agility within the workforce), the Belgian police could have taken some simple steps to add a low touch layer of security to prevent the issue.

1. Strong authentication

An analysis of the breach shows that there was no requirement for a complex password, making the password of the affected account very easy to guess. In addition, MFA had not been turned on. For the malicious actor, this was less of a hack and more a process of simply logging in.

Strong authentication requires a strong password. But not solely relying on a password strengthens your cyber security even more. While not every organisation is ready for passwordless authentication, this is where modern authentication is headed. It was back in 2019 that Microsoft published: “Your Pa$$word doesn’t matter”.

2. Azure Password Protection

At Ekco, we recommend using Azure Password Protection for the use of strong passwords. Azure AD Password Protection detects and blocks weak passwords and their variants, and can also block additional organisation-specific weak terms.

Specific strings can be added to this custom-banned password list. This stops users creating easily guessable passwords that offer little resistance to so-called dictionary-based attacks.

The on-premise deployment of Azure AD Password Protection uses the same global and custom banned password lists stored in Azure AD and performs the same checks for on-prem password changes as Azure AD does for cloud-based changes.

3. Multi Factor Authentication (MFA)

MFA is indispensable, adding an extra layer of security to the sign-in process. If employees want access to an account or application, they have to verify their identity via a second step, for example by approving a push message on their phone or by entering a code they have received via SMS or an authentication app.

4. Number matching MFA

A relatively new MFA feature is number matching. Number matching is an important security upgrade for traditional second-factor notifications in Microsoft Authenticator. This feature helps prevent accidental approvals in the Authenticator app and protect against MFA fatigue attacks.

Microsoft Authenticator has an additional feature that allows the users to see context in the approval notifications: the name of the application and the sign-in location (based on the IP address).

Number matching reduces the problems of MFA fatigue by:

Requiring access to the login screen to approve requests. Users cannot approve requests without entering the correct number pairing.
Discouraging prompt spam. Every prompt generates a unique string of numbers for each sign-in request. Because the user cannot approve the prompts without knowing the numbers, generating multiple prompts is ineffective.

It is little wonder that Microsoft will be enforcing number matching for all users on 8 May this year.

5. Employee awareness

Many risks can be overcome by technical solutions, but effective security lives and dies by the behaviour of its people. How do staff handle device and login details? Does an employee know which links to click on? Do they know what files they can safely download?

It’s crucial to make employees central to the security of the organisation, by heightening their awareness and ensuring they know what to look out for. IBI Security Awareness can help with this.

6. Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a tool that can help protect an organisation, complementing Office 365 with cloud-based protection against zero-day malware and viruses, as well as real-time protection against malicious links and documents. It defends a company against malicious threats posed by email messages, links (URLs), and collaboration tools.

Some of the features of Microsoft Defender for Office 365 include:

Safe Attachments – provides zero-day protection to safeguard the messaging system by checking email attachments for malicious content.
Safe Links – proactively protects users from malicious hyperlinks in a message.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams – protects the organisation when users collaborate and share files by identifying and blocking malicious files in team sites and document libraries.
Anti-phishing protection – uses automatic learning models and advanced impersonation-detection algorithms to detect and prevent attempts that pose as the users and custom domains (e.g. CEO fraud).
Spoof intelligence – detects when a sender appears to be sending email on behalf of one or more user accounts within one of the organisation’s domains.

In summary

No hack is 100% preventable. But you can take measures to make it as difficult as possible for cyber criminals. Taking basic steps makes you less appealing to malicious actors, who might move on to easier targets. It’s not a question of if, it’s when. So use this as a starting point:

Take as many measures as possible to make it as difficult as possible for the hacker (if it takes too much effort, time and money, they may try somewhere else).
Implement detection systems to identify a hacker who has entered the system as quickly as possible. These include the Microsoft Defender stack, such as Defender for Identity, Defender for Endpoint, Defender for Server, and Defender for Cloud Apps. You can extend this to a fully managed XDR solution for stronger threat detection.
Provide an offsite and immutable backup, test it periodically, and write a Disaster Recovery and Incident Response Plan. Also test these plans regularly.