Microsoft Company

Security Audit
Report

prepared By:
Elveenia Fong Shuen Wen
Thressie Dika
Welthienna Umyrra Kong

3-29-2020
Table of Contents
1.0 Executive Summary …………………………………………………………………………………………… 2
2.0 Introduction ……………………………………………………………………………………………………… 2
2.1 About Microsoft …………………………………………………………………………………………… 2
2.2 Organization Chart ………………………………………………………………………………………. 2
2.3 Organization Job Scope ………………………………………………………………………………… 3
3.0 Observation & Finding ………………………………………………………………………………………. 3
3.1 Identification of security related risk/threats ……………………………………………….. 3
3.2 Potential risk ………………………………………………………………………………………………. 4
4.0 Mitigation Action ……………………………………………………………………………………………… 5
4.1 Recommendation/Suggestions ……………………………………………………………………. 6
5.0 Conclusion ……………………………………………………………………………………………………….. 7
6.0 References ……………………………………………………………………………………………………….. 7

1
 1.0 Executive Summary
Security auditing is a powerful tool you can use to maintain the integrity of your
system. Auditing should identify attacks (successful or not) that pose a threat to
network, and attack against resources that you have determined to be valuable in
your risk assessment. The purpose of the audit was to assist the executive team in
developing a strategy for managing the company security.

2.0 Introduction
2.1 About Microsoft
Microsoft Corporation is an American technology company headquartered in
Redmond, Washington, that supports the invention, manufacturing, and
licensing of goods and services related to computing. It was registered in
New Mexico in 1976 after being formed the year before by two childhood
friends.

2.2 Organization Chart

Satya Nadella
Chief Executive Office

Judson Althoff Scott Guthrie Rajesh Jha Brad Smith

EVP Worldwide EVP, Microsoft Cloud EVP Office Product President & Chief
Commercial Business + AI Group Legal Officer

Chris Capossela Jean-Philippe Amy Hood

Kevin Scott CFO
Chief Technology CMO & EVP, Courtois
Marketing & EVP & President,
Officer and Executive
Consumer Business Microsoft Global
Vice President, AI &
Sales, Marketing and
Research
Operations

Kurt DelBene
Peggy Johnson Phil Spencer Kathleen Hogan EVP, Corporate
EVP Business EVP Gaming EVP HR Strategy, Core
Development Services Engineering
and Operations

Jason Graefe Jeff Weiner

Chief of Staff for the CEO LinkedIn
CEO

2
 2.3 Organization Job Scope
The Microsoft company:
1. Provide data entry support to superiors.
2. To prepare communications, reports, presentations, and other products
by operating Microsoft Word, Excel, PowerPoint.
3. To oversee the clerical support function of an office, business or based on
client specific requirements.
4. To schedule reviews, meetings, and conferences as, and when, required
by business or client.
5. To perform time-based office work related to finance, administrations,
and other departments.
6. To coordinate backup for the front desk.
7. To monitor and respond to email communications.

3.0 Observations & Findings

3.1 Identification of security related risks/threats
i. Weak Security Policies
 Unclassified or improperly classified information, leading to the
divulgence or unintended sharing of confidential information with others,
particularly outsiders.
 Inappropriately defined or implemented authentication or authorization,
leading to unauthorized or inappropriate access.
 Undefined or inappropriate access to customer resources or
contractors/suppliers, leading to fraud, misuse of information, or theft.
 Unclearly defined roles and responsibilities, leading to no lack of
ownership and misuse of such situations.

ii. Lack of user security awareness

 Identity theft and unauthorized access due to weak password complexity.
 Not following company policies, such as appropriate use of assets, clean
desk policy, or clear screen policy, leading to virus attacks or confidential
information leakage.
 Divulging user IDs and/or passwords to others, leading to confidential
information leakage.
 Falling prey to social engineering attacks.
 Falling prey to phishing and similar attacks.
 Downloading unwanted software, applications, or images or
utilities/tools leading to malware, viruses, worms, or Trojan attacks.

3
 iii. Weak Security Administration
 Weak administrative passwords being misused to steal data or
compromise the systems.
 Weak user passwords allowed in the system and applications, leading to
unauthorized access and information misuse.
 Inappropriately configured systems and applications, leading to errors,
wrong processing, or corruption of data.
 Non-restricted administrative access on the local machines and/or
network, leading to misuse of the system or infection of the systems.

3.2Potential risk
 Code Injection
Hackers are sometimes able to exploit vulnerabilities in applications
to insert malicious code. Often the vulnerability is found in a text input
field for users, such as for a username, where an SQL statement is
entered, which runs on the database, in what is known as an SQL
Injection attack. Other kinds of code injection attacks include shell
injection, operating system command attacks, script injection, and
dynamic evaluation attacks.

 Malware Infection
Most businesses are aware on some level of the security threat posed
by malware, yet many people are unaware that email spam is still the
main vector of malware attack. Because malware comes from a range
of sources, several different tools are needed for preventing infection.
A robust email scanning and filtering system is necessary, as are
malware and vulnerability scans. Like breaches, which are often
caused by malware infection, employee education is vital to keep
businesses safe from malware. Any device or system infected with
malware must be thoroughly scrubbed, which means identifying the
hidden portions of code and deleting all infected files before they
replicate. This is practically impossible by hand, so requires an
effective automated tool.
 Malicious Insiders
Preventing damage from insider attacks is largely about limiting the
amount of access a malicious insider has. This means setting logical
access control policies to implement the principle of least privilege
and monitoring the network with audit and transaction logs. If a
malicious insider attack is detected, the insider’s access privileges
should immediately be revoked. That done, the police should be
contacted to prevent that person from carrying out further actions
that could damage the business, such as selling stolen data.

4
4.0 Mitigation Actions
A mitigation action is a specific action, project, activity, or process taken to reduce or
eliminate long-term risk to people and property from hazards and their impacts.
Implementing mitigation actions helps achieve the plan’s mission and goals. The actions
to reduce vulnerability to threats and hazards form the core of the plan and are a key
outcome of the planning process.

4.1 Type of mitigation have been taken for security risk

i. Implement Multi-Factor Authentication (MFA)
It simply cannot be said enough companies need MFA. The security
posture at many companies is hanging by the thread of passwords that are
weak, shared across social media, or already for sale. MFA is now the
standard authentication baseline and is critical to basic cyber hygiene. If
real estate is “location, location, location,” then cybersecurity is “MFA,
MFA, MFA.”
ii. Update patching
Check the current patch status across all environments. Make every
attempt to patch all vulnerabilities and focus on those with medium or
higher risk if it must prioritize. Patching is critically important as the
window between discovery and exploit of vulnerabilities has shortened
dramatically. Patching is perhaps the most important defense and one that,
for the most part, to control. (Most attacks utilize known vulnerabilities.)
iii. Manage security posture
Check Secure Score and Compliance Score for Office 365, Microsoft 365,
and Azure. Also, take steps to resolve all open recommendations. These
scores will help to quickly assess and manage the configurations. See
“Resources and information for detection and mitigation strategies” below
for additional information. (Manage your scores over time and use them as
a monitoring tool for unexpected consequences from changes in your
environment.)
iv. Evaluate threat detection and incident response

5
 Increase threat monitoring and anomaly detection activities. Evaluate
incident response from an attacker’s perspective. For example, attackers
often target credentials.
4.2 Suggestion
i. Windows Defender SmartScreen helps prevent malicious application
from being downloaded
Window Defender SmartScreen can check the reputation of a downloaded
application by using a service that Microsoft maintains. The first time a
user runs an app that originates from the Internet (even if the user copied it
from another PC), SmartScreen checks to see if the app lacks a reputation
or is known to be malicious, and responds accordingly
ii. Credential Guard helps keep attackers from gaining access through
Pass-the-Hash or Pass-the-Ticket attacks.
Credential Guard uses virtualization-based security to isolate secrets, such
as NTLM password hashes and Kerberos Ticket Granting Tickets, so that
only privileged system software can access them.
iii. Device Health Attestation helps prevent compromised devices from
accessing an organization’s assets.
Device Health Attestation (DHA) provides a way to confirm that devices
attempting to connect to an organization's network are in a healthy state,
not compromised with malware. When DHA has been configured, a
device’s actual boot data measurements can be checked against the
expected "healthy" boot data. If the check indicates a device is unhealthy,
the device can be prevented from accessing the network.

6
5.0 Conclusion
In conclusion, Microsoft company must have windows defender smart screen, credential
guard and device health attestation to make sure the data is secure. Besides that, Microsoft
company also must take the mitigation action for security risk such as Implement Multi-
Factor Authentication (MFA), update patching, manage security posture and evaluate threat
detection and incident response. This can make the company free from threats.

6.0 References
https://www.liquidweb.com/blog/five-common-web-security-problems/
https://ebrary.net/26640/computer_science/security_threats
https://theorg.com/org/microsoft
https://www.fieldengineer.com/skills/microsoft-office-specialist
https://www.microsoft.com/security/blog/2020/01/20/how-companies-prepare-
heightened-threat-environment/
Mark M. Burnett, James C.Foster(2004). Hacking the Code