Users cannot be trusted with their passwords!!!
Let’s face it users cannot be trusted to know their entire password, I am not talking about the user that writes down their passwords on sticky notes the bad guys would need physical access to actually access those. What I am really speaking to how easily with social engineering or malware passwords can be compromised. If you are not protecting your Internet facing systems that contain anything but public data with multifactor authentication you are asking to be breached, this includes Outlook Web Access.
So how could Outlook Web Access lead to a breach? When trying to breach your company I would first look to the many lists of username, email addresses and password that are available from any of the Social Media password breaches of late. This is a value because as you know many users reuse passwords and it only takes ONE of out of the 1,000, 5,000, 10,000, 100,000+ users that work for your company that decided to reuse that password. Next I will use the username\password combination against Outlook Webacess. If those combinations don’t work it’s not a problem as I have a list of email addresses within the company as well as their personal addresses too. With a bit of research run a targeted attack against them both at work and their personal accounts. Odds have it again that one of the users will click on the link I send and I will own their home PC collecting all kinds of information including their Outlook credentials. Without a second factor of authentication I am in and will send emails to internal users containing malware that exploits recent Java vulnerabilities giving a backdoor to do my bidding.
This is not a Sci Fi story either, this happens all the time. It is not just Outlook either, these types of attacks can be perpetrated on any system that has communication abilities, Salesforce.com, or SharePoint for example. If that Internet facing system contains Intellectual Property needless to say it would be gone in a blink of the eye.
This is a very real and serious threat. The best answer for protection is multifactor authentication for any Internet facing systems as well as you high value internal systems. In addition you should be protecting any accounts that have super user rights as well. If you have thoughts on other ways to protect these systems I would appreciate your feedback.