Secure Cloud Business Applications, assess your security – Best of all it is at no cost and provides guidance on best practise security guidelines for business.
When reducing the likelihood of a successful cyber attack we need to break down the approach into various elements, a security assessment such as the CISA SCUBA tool is extremely useful in the very first steps of a cyber resilience programme and should also be included as a part of an ongoing assessment program.
Becoming cyber resilient is not an all or nothing process, doing something to become As Secure As Practical, ASAP is a process that requires the right people, processes and tools to achieve. Luckily for most organisations there will be some people, processes and tools in place already to facilitate a non zero starting point, except for Anti-Virus (AV) – if all you have is an AV tool then you have work to do to gain the starting elements of an adequate security posture.
The graphic below is the NIST CSF model and an assessment falls into the “Identify” stage, though “Identify” must be a continual process and any assessment must be run on a regular basis to be useful as Security Posture changes daily based on configuration changes, application changes, device alterations etc.
With this in mind the Cyber security and Infrastructure security agency (CISA) has made available an excellent tool for determining the state of your Microsoft 365 environment. The great work by the CISA can not be over stated and there are many free resources available to us as security practitioners to help with securing our organisations, this article does not in anyway come close to the material on the CISA website but is designed as a short fast track to getting started.
The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.CISA web site
CISA provide further details on SCUBA here but basically SCUBA is an easy to run set of reports that will provide data from the following:
Baselines available for download:
- Microsoft Defender for Office 365
- Microsoft Azure Active Directory
- Microsoft Exchange Online
- Microsoft OneDrive for Business
- Microsoft Power BI
- Microsoft Power Platform
- Microsoft SharePoint Online
- Microsoft Teams
Best to download the package from Github here which has all the components included.
Secure Cloud Business Applications or SCUBA will only run on an 64 bit windows operating systems as an executable is required for part of the collection process. Trust me, I have attempted to run the SCUBA Powershell scripts on my M1 MacBook Pro before I noticed the AMD64 binaries.
Note: the readme within the package has extensive instructions, I have summarised and simplified so that you can get up and running as quickly as possible.
- Ensure you are running Powershell 7.3 or above
- Download and extract the SCUBA package from Github
- From the extracted files directory run “.\setup.ps1”, this will download the additional modules required for the SCUBA assessment tool to run.
- Run if you wish to run the assessment across the entire tenant then run from Powershell: “.\RunScuba.ps1”
- To restrict data collection, edit “RunScuba.ps1” and remove the entries for modules not to be assessed.
- You will be prompted for the credentials for the tenant you wish to scan, if you wish to run with a model of least privilege then an account with the “Global reader” role is required.
- Output will be presented in your default browser once complete and the HTML files will be in a “results” folder.
Once the Powershell script has completed successfully the CISA SCUBA report will look something like the below (if there is no browser window displayed then the execution has failed):
The Scuba assessment homepage is broken down into the above categories, this can be limited if your organisation is only interested in evaluating Microsoft 365 Defender for example by editing the “RunScuba.ps1” in your editor of choice (Notepad, Nano etc).
Azure Active Directory
Below is a section of the sample output from the Azure Active Directory scan, the SCUBA tool provides good guidance on the shortcomings of my CDX M365 Tenant and what is needed to improve my security posture.
Defender for O365
Next, the below report sample shows the Defender for O365 configuration and mitigations that should be implemented to improve the security posture of my CDX Tenant.
In summary security for many small to mid sized businesses is about “Doing something”, do not procrastinate and do nothing because it seems too difficult and that “no one” would look to target your organisation.
The CISA Secure Cloud Business Applications or SCUBA assessment tool is a great process you can build into your corporate playbook as a part of your ongoing cyber security posture programme, alongside the “feed and watering” activities to continue to improve organisational security posture.
The chances are that super high that your business domain and email addresses will be in a collection of stolen credentials on the Dark web, this means that whether by accident or not you will be a target for an attacker who has much more time than we do to try and find a way into your business.
As always, improving your security posture in small but consistent and manageable ways is the only way to have a sustained improvement in your organisations cyber resilience, please reach out to me if you need assistance with any of the above.