Archive

Author Archive

Cybersecurity best practices to implement highly secured devices

May 20th, 2020 No comments

Almost three years ago, we published The Seven Properties of Highly Secured Devices, which introduced a new standard for IoT security and argued, based on an analysis of best-in-class devices, that seven properties must be present on every standalone device that connects to the internet in order to be considered secured. Azure Sphere, now generally available, is Microsoft’s entry into the market: a seven-properties-compliant, end-to-end product offering for building and deploying highly secured IoT devices.

Every connected device should be highly secured, even devices that seem simplistic, like a cactus watering sensor. The seven properties are always required. These details are captured in a new paper titled, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere. It focuses on why the seven properties are always required and describes best practices used to implement Azure Sphere. The paper provides detailed information about the architecture and implementation of Azure Sphere and discusses design decisions and trade-offs. We hope that the new paper can assist organizations and individuals in evaluating the measures used within Azure Sphere to improve the security of IoT devices. Companies may also want to use this paper as a reference, when assessing Azure Sphere or other IoT offerings.  In this blog post, we discuss one issue covered in the paper: why are the 7 properties always required?

Why are the seven properties applicable to every device that connects to the internet?

If an internet-connected device performs a non-critical function, why does it require all seven properties? Put differently, are the seven properties required only when a device might cause harm if it is hacked? Why would you still want to require an advanced CPU, a security subsystem, a hardware root of trust, and a set of services to secure a simple, innocuous device like a cactus water sensor?

Because any device can be the target of a hacker, and any hacked device can be weaponized.

Consider the Mirai botnet, a real-world example of IoT gone wrong. The Mirai botnet involved approximately 150,000 internet-enabled security cameras. The cameras were hacked and turned into a botnet that launched a distributed denial of service (DDoS) attack that took down internet access for a large portion of the eastern United States. For security experts analyzing this hack, the Mirai botnet was distressingly unsophisticated. It was also a relatively small-scale attack, considering that many IoT devices will sell more than 150,000 units.

Adding internet connectivity to a class of device means a single, remote attack can scale to hundreds of thousands or millions of devices. The ability to scale a single exploit to this degree is cause for reflection on the upheaval IoT brings to the marketplace. Once the decision is made to connect a device to the internet, that device has the potential to transform from a single-purpose device to a general-purpose computer capable of launching a DDoS attack against any target in the world. The Mirai botnet is also a demonstration that a manufacturer does not need to sell many devices to create the potential for a “weaponized” device.

IoT security is not only about “safety-critical” deployments. Any deployment of a connected device at scale requires the seven properties. In other words, the function, purpose, and cost of a device should not be the only considerations when deciding whether security is important.

The seven properties do not guarantee that a device will not be hacked. However, they greatly minimize certain classes of threats and make it possible to detect and respond when a hacker gains a toehold in a device ecosystem. If a device doesn’t have all seven, human practices must be implemented to compensate for the missing features. For example, without renewable security, a security incident will require disconnecting devices from the internet and then recalling those devices or dispatching people to manually patch every device that was attacked.

Implementation challenges

Some of the seven properties, such as a hardware-based root of trust and compartmentalization, require certain silicon features. Others, such as defense in-depth, require a certain software architecture as well as silicon features like the hardware-based root of trust. Finally, other properties, including renewable security, certificate-based authentication, and failure reporting, require not only silicon features and certain software architecture choices within the operating system, but also deep integration with cloud services. Piecing these critical pieces of infrastructure together is difficult and prone to errors. Ensuring that a device incorporates these properties could therefore increase its cost.

These challenges led us to believe the seven properties also created an opportunity for security-minded organizations to implement these properties as a platform, which would free device manufacturers to focus on product features, rather than security. Azure Sphere represents such a platform: the seven properties are designed and built into the product from the silicon up.

Best practices for implementing the seven properties

Based on our decades of experience researching and implementing secured products, we identified 19 best practices that were put into place as part of the Azure Sphere product. These best practices provide insight into why Azure Sphere sets such a high standard for security. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere, for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions.

We hope that the discussion of these best practices sheds some additional light on the large number of features the Azure Sphere team implemented to protect IoT devices. We also hope that this provides a new set of questions to consider in evaluating your own IoT solution. Azure Sphere will continue to innovate and build upon this foundation with more features that raise the bar in IoT security.

To read previous blogs on IoT security, visit our blog series:  https://www.microsoft.com/security/blog/iot-security/   Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity

The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

Microsoft Build brings new innovations and capabilities to keep developers and customers secure

May 19th, 2020 No comments

As both organizations and developers adapt to the new reality of working and collaborating in a remote environment, it’s more important than ever to ensure that their experiences are secure and trusted. As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers.

New Identity capabilities to help foster a secure apps ecosystem

As organizations continue to adapt to the new requirements of remote work, we’ve seen an increase in the deployment and usage of cloud applications. These cloud applications often need access to user or company data, which has increased the need to provide strong security not just for users but applications themselves. Today we are announcing several capabilities for developers, admins, and end-users that help foster a secure and trustworthy app ecosystem:

  1. Publisher Verification allows developers to demonstrate to customers, with a verified checkmark, that the application they’re using comes from a trusted and authentic source. Applications marked as publisher verified means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration.
  2. Application consent policies allow admins to configure policies that determine which applications users can consent to. Admins can allow users to consent to applications that have been Publisher Verified, helping developers unlock user-driven adoption of their apps.
  3. Microsoft authentication libraries (MSAL) for Angular is generally available and our web library identity.web for ASP.NET Core is in public preview. MSAL make it easy to implement the right authentication patterns, security features, and integration points that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts.

In addition, we’re making it easier for organizations and developers to secure, manage and build apps that connect with different types of users outside an organization with Azure AD External Identities now in preview. With Azure AD External Identities, developers can build flexible, user-centric experiences that enable self-service sign-up and sign-in and allow continuous customization without duplicating coding effort.

You can learn even more about our Identity-based solutions and additional announcements by heading over to the Azure Active Directory Tech Community blog and reading Alex Simons’ post.

Azure Security Center innovations

Azure Security Center is a unified infrastructure security management system for both Azure and hybrid cloud resources on-premises or in other clouds. We’re pleased to announce two new innovations for Azure Security Center, both of which will help secure our customers:

First, we’re announcing that the Azure Secure Score API is now available to customers, bringing even more innovation to Secure Score, which is a central component of security posture management in Azure Security Center. The recent enhancements to Secure Score (in preview) gives customers an easier to understand and more effective way to assess risk in their environment and prioritize which action to take first in order to reduce it.  It also simplifies the long list of findings by grouping the recommendations into a set of Security Controls, each representing an attack surface and scored accordingly.

Second, we’re announcing that suppression rules for Azure Security Center alerts are now publicly available. Customers can use suppression rules to reduce alerts fatigue and focus on the most relevant threats by hiding alerts that are known to be innocuous or related to normal activities in their organization. Suppressed alerts will be hidden in Azure Security Center and Azure Sentinel but will still be available with ‘dismissed’ state. You can learn more about suppression rules by visiting Suppressing alerts from Azure Security Center’s threat protection.

Azure Disk Encryption and encryption & key management updates

We continue to invest in encryption options for our customers. Here are our most recent updates:

  1. Fifty more Azure services now support customer-managed keys for encryption at rest. This helps customers control their encryption keys to meet their compliance or regulatory requirements. The full list of services is here. We have now made this capability part of the Azure Security Benchmark, so that our customers can govern use of all your Azure services in a consistent manner.
  2. Azure Disk Encryption helps protect data on disks that are used with VM and VM Scale sets, and we have now added the ability to use Azure Disk Encryption to secure Red Hat Enterprise Linux BYOS Gold Images. The subscription must be registered before Azure Disk Encryption can be enabled.

Azure Key Vault innovation

Azure Key Vault is a unified service for secret management, certificate management, and encryption key management, backed by FIPS-validated hardware security modules (HSMs). Here are some of the new capabilities we are bringing for our customers:

  1. Enhanced security with Private Link—This is an optional control that enables customers to access their Azure Key Vault over a private endpoint in their virtual network. Traffic between their virtual network and Azure Key Vault flows over the Microsoft backbone network, thus providing additional assurance.
  2. More choices for BYOK—Some of our customers generate encryption keys outside Azure and import them into Azure Key Vault, in order to meet their regulatory needs or to centralize where their keys are generated. Now, in addition to nCipher nShield HSMs, they can also use SafeNet Luna HSMs or Fortanix SDKMS to generate their keys. These additions are in preview.
  3. Make it easier to rotate secrets—Earlier we released a public preview of notifications for keys, secrets, and certificates. This allows customers to receive events at each point of the lifecycle of these objects and define custom actions. A common action is rotating secrets on a schedule so that they can limit the impact of credential exposure. You can see the new tutorial here.

Platform security innovation

Platform security for customers’ data recently took a big step forward with the General Availability of Azure Confidential Computing. Using the latest Intel SGX CPU hardware backed by attestation, Azure provides a new class of VMs that protects the confidentiality and integrity of customer data while in memory (or “in-use”), ensuring that cloud administrators and datacenter operators with physical access to the servers cannot access the customer’s data.

Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. In addition to expanded coverage of services in Customer Lockbox for Microsoft Azure, this feature is now available in preview for our customers in Azure Government cloud.

You can learn more about our Azure security offerings by heading to the Azure Security Center Tech Community.

The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on Microsoft Security.

Empowering your remote workforce with end-user security awareness

May 13th, 2020 No comments

COVID-19 has rapidly transformed how we all work. Organizations need quick and effective user security and awareness training to address the swiftly changing needs of the new normal for many of us. To help our customers deploy user training quickly, easily and effectively, we are announcing the availability of the Microsoft Cybersecurity Awareness Kit, delivered in partnership with Terranova Security. For those of you ready to deploy training right now, access your kit here. For more details, read on.

Work at home may happen on unmanaged and shared devices, over insecure networks, and in unauthorized or non-compliant apps. The new environment has put cybersecurity decision-making in the hands of remote employees. In addition to the rapid dissolution of corporate perimeters, the threat environment is evolving rapidly as malicious actors take advantage of the current situation to mount coronavirus-themed attacks. As security professionals, we can empower our colleagues to protect themselves and their companies. But choosing topics, producing engaging content, and managing delivery can be challenging, sucking up time and resources. Our customers need immediate deployable and context-specific security training.

CYBERSECURITY AWARENESS KIT

At RSA 2020 this year, we announced our partnership with Terranova Security, to deliver integrated phish simulation and user training in Office 365 Advanced Threat Protection later this year. Our partnership combines Microsoft’s leading-edge technology, expansive platform capabilities, and unparalleled threat insights with Terranova Security’s market-leading expertise, human-centric design and pedagogical rigor. Our intelligent solution will turbo-charge the effectiveness of phish simulation and training while simplifying administration and reporting. The solution will create and recommend context-specific and hyper-targeted simulations, enabling you to customize your simulations to mimic real threats seen in different business contexts and train users based on their risk level. It will automate simulation management from end to end, providing robust analytics to inform the next cycle of simulations and enable rich reporting.

Our Cybersecurity Awareness Kit now makes available a subset of this user-training material relevant to COVID-19 scenarios to aid security professionals tasked with training their newly remote workforces. The kit includes videos, interactive courses, posters, and infographics like the one below. You can use these materials to train your remote employees quickly and easily.

Beware of COVID-19 Cyber Scams

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the Microsoft 365 security portal, where the training are hosted as seen below. All authenticated Microsoft 365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the M365 security portal, where the trainings are hosted as seen below. All authenticated M365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

ACCESSING THE KIT

All Microsoft 365 customers can access the kit and directions on the Microsoft 365 Security and Compliance Center through this link. If you are not a Microsoft 365 customer or would like to share the training with family and friends who are not employees of your organization, Terranova Security is providing free training material for end-users.

Deploying quick and effective end-user training to empower your remote workforce is one of the ways Microsoft can help customers work productively and securely through COVID-19. For more resources to help you through these times, Microsoft’s Secure Remote Work Page for the latest information.

The post Empowering your remote workforce with end-user security awareness appeared first on Microsoft Security.

Protect your accounts with smarter ways to sign in on World Passwordless Day

May 7th, 2020 No comments

As the world continues to grapple with COVID-19, our lives have become increasingly dependent on digital interactions. Operating at home, we’ve had to rely on e-commerce, telehealth, and e-government to manage the everyday business of life. Our daily online usage has increased by over 20 percent. And if we’re fortunate enough to have a job that we can do from home, we’re accessing corporate apps from outside the company firewall.

Whether we’re signing into social media, mobile banking, or our workplace, we’re connecting via online accounts that require a username and password. The more we do online, the more accounts we have. It becomes a hassle to constantly create new passwords and remember them. So, we take shortcuts. According to a Ponemon Institute study, people reuse an average of five total passwords, both business and personal. This is one aspect of human nature that hackers bet on. If they get hold of one password, they know they can use it pry open more of our digital lives. A single compromised password, then, can create a chain reaction of liability.

No matter how strong or complex a password is, it’s useless if a bad actor can socially engineer it away from us or find it on the dark web. Plus, passwords are inconvenient and a drain on productivity. People spend hours each year signing into applications and recovering or resetting forgotten usernames and passwords. This activity doesn’t make things more secure. It only drives up the costs of service desks.

People today are done with passwords

Users want something easier and more convenient. Administrators want something more secure. We don’t think anyone finds passwords a cause to celebrate. That’s why we’re helping organizations find smarter ways to sign in that users will love and hackers will hate. Our hope is that instead of World Password Day, we’ll start celebrating World Passwordless Day.

Passwordless Day Infographic

  • People reuse an average of five passwords across their accounts, both business and personal (Ponemon Institute survey/Yubico).
  • Average person has 90 accounts (Thycotic).
  • Fifty-five percent would prefer a method of protecting accounts that doesn’t involve passwords (Ponemon Institute survey/Yubico).
  • Sixty-seven percent of American consumers surveyed by Visa have used biometric authentication and prefer it to passwords.
  • One-hundred million to 150 million people using a passwordless method each month (Microsoft research, April 2020).

Since an average of one in every 250 corporate accounts is compromised each month, we know that relying on passwords isn’t a good enterprise defense strategy. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30 to 60 percent of their support desk calls to password resets. Given how ineffective passwords can be, it’s surprising how many companies haven’t turned on multi-factor authentication (MFA) for their customers or employees.

Passwordless technology is here—and users are adopting it as the best experience for strong authentication. Last November at Microsoft Ignite, we shared that more than 100 million people were already signing in using passwordless methods each month. That number has now reached over 150 million people. According to our recent survey, the use of biometrics

We now have the momentum to push forward initiatives that increase security and reduce cost. New passwordless technologies give users the benefits of MFA in one gesture. To sign in securely with Windows Hello, all you have to do is show your face or press your finger. Microsoft has built support for passwordless authentication into our products and services, including Office, Azure, Xbox, and Github. You don’t even need to create a username anymore—you can use your phone number instead. Administrators can use single sign-on in Azure Active Directory (Azure AD) to enable passwordless authentication for an unlimited number of apps through native functionality in Windows Hello, the phone-as-a-token capabilities in the Microsoft Authenticator app, or security keys built using the FIDO2 open standards.

Of course, we would never advise our customers to try anything we haven’t tried ourselves. We’re always our own first customer. Microsoft’s IT team switched to passwordless authentication and now 90 percent of Microsoft employees sign in without entering a password. As a result, hard and soft costs of supporting passwords fell by 87 percent. We expect other customers will experience similar benefits in employee productivity improvements, lower IT costs, and a stronger security posture. To learn more about our approach, watch the CISO spotlight episode with Bret Arsenault (Microsoft CISO) and myself. By taking this approach 18 months ago, we were better set up for seamless secure remote work during COVID 19.

For many of us, working from home will be a new norm for the foreseeable future. We see many opportunities for using passwordless methods to better secure digital accounts that people rely on every day. Whether you’re protecting an organization or your own digital life, every step towards passwordless is a step towards improving your security posture. Now let’s embrace the world of passwordless!

Related articles

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protect your accounts with smarter ways to sign in on World Passwordless Day appeared first on Microsoft Security.

Data governance matters now more than ever

April 30th, 2020 No comments

Knowing, protecting, and governing your organizational data is critical to adhere to regulations and meet security and privacy needs. Arguably, that’s never been truer than it is today as we face these unprecedented health and economic circumstances. To help organizations to navigate privacy during this challenging time, Microsoft Chief Privacy Officer Julie Brill shared seven privacy principles to consider as we all collectively move forward in addressing the pandemic.

Organizations are also evaluating security and data governance more than ever before as they try to maintain business continuity amid the crisis. According to a new Harvard Business Review (HBR) research report released today commissioned by Microsoft, 61 percent of organizations struggle to effectively develop strong data security, privacy, and risk capabilities. Together with HBR, we surveyed close to 500 global business leaders across industries, including financial services, tech, healthcare, and manufacturing. The study found that 77 percent of organizations say an effective security, risk, and compliance strategy is essential for business success. However, 82 percent say that securing and governing data is becoming more difficult because of new risks and data management complexities brought on by digital transformation.

In a world in which remote work is the new normal, securing, and governing your company’s most critical data becomes more important than ever before. The increased volume of information and multiple collaboration systems create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly. 

General availability of Microsoft 365 Records Management

Today, we are excited to announce the general availability of Microsoft 365 Records Management to provide you with significantly greater depth in protecting and governing critical data. With Records Management, you can:

  • Classify, retain, review, dispose, and manage content without compromising productivity or data security.
  • Leverage machine learning capabilities to identify and classify regulatory, legal, and business critical records at scale.
  • Help demonstrate compliance with regulations through defensible audit trails and proof of destruction.

You can now access Records Management in the compliance center in Microsoft 365.

Data governance matters now more than ever

Striking the right balance between data governance and productivity: Records Management is built into the Microsoft 365 productivity stack and existing customer workflows, easing the friction that often occurs between enforcing governance controls and user productivity. For example, say your team is working on a contract. Thanks to built-in retention policies embedded in the tools people use every day, they can continue to be productive while collaborating on a contract that has been declared a record—such as sharing, coauthoring, and accessing the record through mobile devices. We have also integrated our disposition process natively into the tools you use every day, including SharePoint and Outlook. Records versioning also makes collaboration on record-declared documents better, so you can track when edits are made to the contract. It allows users to unlock a document with a record label to make edits to it with all records safely retained and audit trails maintained. With Records Management, you can balance rigorous enforcement of data controls with allowing your organization to be fully productive.

Building trust, transparency, and defensibility: Building trust and providing transparency is crucial to managing records. In addition to continuing to audit all events surrounding a record in our audit log, we’re excited to announce the ability to obtain proof of disposal and see all items automatically disposed as part of a record label. Proof of disposal helps provide you with the defensibility you need, particularly to meet legal and regulatory requirements. Learn more in this Microsoft docs page.

Leveraging machine learning for scale: Records Management leverages our broader investments in machine learning across information protection and governance, such as trainable classifiers. With trainable classifiers, you can train the classification engine to recognize data that is unique to your organization. Once you define a record or retention label, you can apply the label to all content that matches a trainable classifier that was previously defined. So, for example, any document that appears to be a contract or have contract-related content will be marked accordingly and automatically classified as a record. For more information on creating trainable classifiers, please see this documentation. Apart from using trainable classifiers, you can also choose to auto-apply retention labels either by matching keywords on the content, its metadata, sensitive information it contains, or as the default for a particular location or folder. These different auto classification methods provide the flexibility you need to manage the constantly increasing volume of data.

Please visit this portal to learn more about Records Management.

Importance of information protection and governance

There’s never been a more important time to ensure your data, especially your most critical data, is protected and governed efficiently and effectively. Records Management is generally available worldwide today, and you can learn even more in our post on Tech Community. Eligible Microsoft 365 E5 customers can start using Records Management in the Compliance Center or learn how to try or buy a Microsoft 365 subscription.

Lastly, as you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, you can visit our Remote Work site. We’re here to help in any way we can.

The post Data governance matters now more than ever appeared first on Microsoft Security.

Security guidance for remote desktop adoption

April 15th, 2020 No comments

As the volume of remote workers quickly increased over the past two to three months, the IT teams in many companies scrambled to figure out how their infrastructures and technologies would be able to handle the increase in remote connections. Many companies were forced to enhance their capabilities to allow remote workers access to systems and applications from their homes and other locations outside the network perimeter. Companies that couldn’t make changes rapidly enough to increase capacity for remote workers might rely on remote access using the remote desktop protocol, which allows employees to access workstations and systems directly.

Recently, John Matherly (founder of Shodan, the world’s first search engine for internet-connected devices) conducted some research on ports that are accessible on the internet, surfacing some important findings. Notably, there has been an increase in the number of systems accessible via the traditional Remote Desktop Protocol (RDP) port and a well-known “alternative” port used for RDP. A surprising finding from John’s research is the ongoing prevalent usage of RDP and its exposure to the internet.

Although Remote Desktop Services (RDS) can be a fast way to enable remote access for employees, there are a number of security challenges that need to be considered before using this as a remote access strategy. One of these challenges is that attackers continue to target the RDP and service, putting corporate networks, systems, and data at risk (e.g., cybercriminals could exploit the protocol to establish a foothold on the network, install ransomware on systems, or take other malicious actions). In addition, there are challenges with being able to configure security for RDP sufficiently, to restrict a cybercriminal from moving laterally and compromising data.

Security considerations for remote desktop include:

  • Direct accessibility of systems on the public internet.
  • Vulnerability and patch management of exposed systems.
  • Internal lateral movement after initial compromise.
  • Multi-factor authentication (MFA).
  • Session security.
  • Controlling, auditing, and logging remote access.

Some of these considerations can be addressed using Microsoft Remote Desktop Services to act as a gateway to grant access to remote desktop systems. The Microsoft Remote Desktop Services gateway uses Secure Sockets Layer (SSL) to encrypt communications and prevents the system hosting the remote desktop protocol services from being directly exposed to the public internet.

Identify RDP use

To identify whether your company is using the Remote Desktop Protocol, you may perform an audit and review of firewall policies and scan internet-exposed address ranges and cloud services you use, to uncover any exposed systems. Firewall rules may be labeled as “Remote Desktop” or “Terminal Services.” The default port for Remote Desktop Services is TCP 3389, but sometimes an alternate port of TCP 3388 might be used if the default configuration has been changed.

Use this guidance to help secure Remote Desktop Services

Remote Desktop Services can be used for session-based virtualization, virtual desktop infrastructure (VDI), or a combination of these two services. Microsoft RDS can be used to help secure on-premises deployments, cloud deployments, and remote services from various Microsoft partners (e.g., Citrix). Leveraging RDS to connect to on-premises systems enhances security by reducing the exposure of systems directly to the internet. Further guidance on establishing Microsoft RDS can be found in our Remote Desktop Services.

On-premises deployments may still have to consider performance and service accessibility depending on internet connectivity provided through the corporate internet connection, as well as the management and maintenance of systems that remain within the physical network.

Leverage Windows Virtual Desktop

Virtual desktop experiences can be enhanced using Windows Virtual Desktop, delivered on Azure. Establishing an environment in Azure simplifies management and offers the ability to scale the virtual desktop and application virtualization services through cloud computing. Leveraging Windows Virtual Desktop foregoes the performance issues associated with on-premises network connections and takes advantage of built-in security and compliance capabilities provided by Azure.

To get more information about setting up, go to our Windows Virtual Desktop product page.

Microsoft documentation on Windows Virtual Desktop offers a tutorial and how-to guide on enabling your Azure tenant for Windows Virtual Desktop and connecting to the virtual desktop environment securely, once it is established.

Secure remote administrator access

Remote Desktop Services are being used not only by employees for remote access, but also by many system developers and administrators to manage cloud and on-premises systems and applications. Allowing administrative access of server and cloud systems directly through RDP elevates the risk because the accounts used for these purposes usually have higher levels of access across systems and environments, including system administrator access. Microsoft Azure helps system administrators to securely access systems using Network Security Groups and Azure Policies. Azure Security Center further enhances secure remote administration of cloud services by allowing “just in time” (JIT) access for administrators.

Attackers target management ports such as SSH and RDP. JIT access helps reduce attack exposure by locking down inbound traffic to Microsoft Azure VMs (Source: Microsoft).

Azure Security Center JIT access enhances security through the following measures:

  • Approval workflow.
  • Automatic removal of access.
  • Restriction on permitted internet IP address.

For more information, visit Azure Security Center JIT.

Evaluate the risk to your organization

Considerations for selection and implementation of a remote access solution should always consider the security posture and risk appetite of your organization. Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints (i.e., user devices, both managed and unmanaged by the organization). At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure (network, systems, and thereby data). Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced.

The post Security guidance for remote desktop adoption appeared first on Microsoft Security.

Afternoon Cyber Tea: Building operational resilience in a digital world

April 13th, 2020 No comments

Operational resiliency is a topic of rising importance in the security community. Unplanned events, much like the one we are facing today, are reminders of how organizations can be prepared to respond to a cyberattack. Ian Coldwell and I explored a variety of options in my episode of Afternoon Cyber Tea with Ann Johnson.

Ian Coldwell is a Kubernetes containers and cloud infrastructure specialist with a background in penetration testing and DevOps. In their role as a consultant, Ian has helped companies bridge the gaps between security and DevOps. It was a real pleasure to discuss what Ian has learned in these roles, and I think you’ll find our discussion valuable.

During our conversation, Ian and I talked about threat modeling and how to best protect your crown jewels. We also explored what it means to bring security into DevOps. Hint: it’s about more than just new tooling. And, we demystified Kubernetes. Do you wonder which projects are a good fit for Kubernetes, and which are not? Are you concerned about how to keep Kubernetes containers secure? Take a listen to Building operational resiliency in a digital work on Afternoon Cyber Tea with Ann Johnson for actionable advice that you can apply to your own SecDevOps organization.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape in these unprecedented times, and explore the risk and promise of systems powered by artificial intelligence (AI), Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts—You can also download the episode by clicking the Episode Website link.
  • Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Building operational resilience in a digital world appeared first on Microsoft Security.

Enable remote work while keeping cloud deployments secure

April 9th, 2020 No comments

As our customers shift to remote work in response to the COVID-19 outbreak, many have asked how to maintain the security posture of their cloud assets. Azure Security Center security controls can help you monitor your security posture as usage of cloud assets increases. These are three common scenarios:

  1. Enable multi-factor authentication (MFA) to enhance identity protection.
  2. Use just-in-time (JIT) VM access for users that need remote access via RDP or SSH to servers that are in your Azure infrastructure.
  3. Review the “Remediate vulnerabilities control” in Azure Security Center to identify critical security updates needed workloads (servers, containers, databases) that will be accessed remotely.

Read Keeping your cloud deployments secure during challenging times for detailed instructions.

The post Enable remote work while keeping cloud deployments secure appeared first on Microsoft Security.

Categories: Azure Security, Cloud Computing Tags:

Mobile security—the 60 percent problem

April 7th, 2020 No comments

Off the top of your head, what percentage of endpoints in your organization are currently protected?

Something in the 98 percent+ range?

Most enterprises would say having fewer than 2 percent of endpoint devices lacking adequate security would be considered good given the various changes, updates, etc. However, enterprises have traditionally focused security and compliance efforts on traditional computing devices (for example, servers, desktops, and laptops), which represent just 40 percent of the relevant endpoints. The remaining 60 percent of endpoints are mobile devices and are woefully under-protected. That’s a problem.

Mobile security is more important than ever

Mobile devices, both corporate-owned and bring your own device (BYOD), are now the dominant productivity platform in any enterprise organization, with more than 80 percent of daily work performed on a mobile device. These devices operate extensively outside of corporate firewalls, in the hands of users who may not prioritize precautions like vetting Wi-Fi networks or keeping their devices patched and updated. Mobile often represents a wandering corporate data repository.

These factors combine to cause headaches for security teams because, in short, mobile security has a significant gap in most organizations’ endpoint protection strategies.

The lack of protection for (and visibility into) these endpoints introduces significant risk and compliance concerns that show no sign of slowing down. Here are some statistics from Zimperium’s State of Enterprise Mobile Security Report, 2019, which contains data from more than 45 million anonymized endpoints from enterprises in a variety of industries and both local and national government agencies from around the world:

  • Mobile OS vendors created patches for 1,161 security vulnerabilities in 2019.
  • At the end of 2019, 48 percent of iOS devices were more than four versions behind the latest OS version and 58 percent of Android devices were more than two versions behind.
  • Twenty-four percent of enterprise mobile endpoints were exposed to device threats, not including outdated operating systems.
  • Nineteen percent of enterprise mobile endpoints experienced network-based attacks.
  • Sixty-eight percent of malicious profiles were considered “high-risk,” meaning they had elevated access that could lead to data exfiltration or full compromise.

Microsoft and Zimperium deliver comprehensive mobile security

The combination of Microsoft’s management and security solutions and Zimperium’s unique on-device mobile device security delivers unequaled protection for managed and unmanaged BYOD devices. Together, Microsoft and Zimperium have delivered numerous innovations for customers in areas such as:

An endpoint is an endpoint is an endpoint, and they all must be protected

Organizations now realize mobile devices are an unprotected endpoint with possible access to or containing the information of a traditional endpoint. And while there are some overlaps in what you protect—email, calendars, etc.—the way you solve the traditional endpoint security problem is completely different than how you solve the mobile security problem.

So, what does all this really mean for an enterprise?

For a joint Microsoft and Zimperium international banking customer with employees in nine countries using 17,000 corporate and BYOD mobile devices, it means knowing that you are protected with Microsoft Endpoint Manager on Azure. It means knowing how many of your employees are putting your enterprise at risk with outdated iOS versions and high-risk profiles. It means having the ability to remediate and monitor your endpoints with one console. Our customer is in control of its infrastructure choices versus having the vendor forcing a solution. In addition, both iOS and Android platforms are supported and protected. If a user were to switch from one device to another that runs a different OS, the person would simply re-download the Zimperium app and activate.

Once deployed, the solution is capable of simultaneously integrating with unified endpoint solutions (UEM) solutions from multiple vendors. In other words, part of the organization, or specified users, can be managed with one UEM solution, and part of it by another. For joint Zimperium and Microsoft customers, this capability simplifies the migration from a third-party UEM to Microsoft Endpoint Manager while maintaining security during the migration. Zimperium provides visibility and security across the mobile infrastructure for customers who may have multiple UEM solutions deployed.

About Zimperium

Zimperium, the global leader in mobile device and app security, offers real-time, on-device protection against Android and iOS threats. The Zimperium platform leverages our award-winning machine-learning-based engine—z9—to protect mobile data, apps, and sessions against device compromises, network attacks, phishing attempts, and malicious apps.

To date, z9 has detected 100 percent of zero-day device exploits without requiring an update or suffering from the delays and limitations of cloud-based detection—something no other mobile security provider can claim.

Get a free enterprise trial

Interested in trying Zimperium in your Microsoft security environment? Contact us today for mobile device security with protection against network, device, phishing, and malicious app attacks.

The post Mobile security—the 60 percent problem appeared first on Microsoft Security.

Protecting your data and maintaining compliance in a remote work environment

April 6th, 2020 No comments

In this difficult time, remote work is becoming the new normal for many companies around the world. Employees are using tools like Microsoft Teams to collaborate, chat, and connect in new ways to try to keep their businesses moving forward amidst the challenging global health crisis. I sincerely hope you and your families are staying safe and healthy.

I have been talking with many of you about the impact today’s environment is having on your organizations. Business continuity is an imperative, and you must rely on your employees to stay connected and productive outside of the traditional digital borders of business. In doing so, identifying and managing potential risks within the organization is critical to safeguarding your data and intellectual property (IP), while supporting a positive company culture.

Because many of you have been asking, here is some guidance for things you can do to take advantage of these capabilities. I’ll focus a lot of the examples on Teams, but many of these features are relevant across Microsoft 365.

Staying secure and compliant

First, knowing where your data resides while employees are working remotely is a vital question, especially for your risk management-focused departments. Data in Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

There are also several tools that help you remain in control and protect sensitive documents and data in Microsoft 365. For example, you can restrict Teams experiences for guests and people outside of your organization. You can also govern the apps to which each user has access.

In addition, we’ve made sure that the Teams service is compliant: to help you answer questions from your auditors, we publish auditor reports on the Service Trust Portal. And we help our customers keep up with evolving regulations and standards with a robust compliance controls framework, which meets some of the most rigorous industry and countries’ regulations requirements.

Applying data loss prevention in Teams

Data loss prevention (DLP) addresses concerns around sensitive information in messages or documents. Setting up DLP policies in Teams can protect your data and take specific actions when sensitive information is shared. For example, suppose that someone attempts to share a document with guests in a Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won’t open for those users. Note that in this case, your DLP policy must include SharePoint and OneDrive for the protection to be in place.

Applying sensitivity labeling to protect sensitive data

You can also apply a sensitivity label to important documents and associate it with protection policies and actions like encryption, visual marking, and access controls and be assured that the protection will persist with the document throughout its lifecycle, as it is shared among users who are internal or external to your organization.

You can start by allowing users to manually classify emails and documents by applying sensitivity labels based on their assessment of the content and their interpretation of the organizational guidelines. However, users also forget or inaccurately apply labels, especially in these stressful times, so you need a method that will scale to the vast amount of data you have.

To help you to achieve that scale, we are announcing the public preview of automatic classification with sensitivity labels for documents stored on SharePoint Online and OneDrive for Business, and for emails in transit in Exchange Online. The public preview will begin rolling out over the next week. Like with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based upon organizational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like SharePoint Online, OneDrive, and Exchange Online. These policies can automatically label files at rest and in motion based on the rules you’ve set. Those classifications also apply when those documents are shared via Teams.

Minimize insider risk

We also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. Insider Risk Management looks at activity from across Microsoft 365, including Teams, to identify potential suspicious activity early.

Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365, leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can go a long way in supporting employee mental health in uncertain times like this.

Enabling simple retention policies

To comply with your organization’s internal policies, industry regulations, or legal needs, all your company information should be properly governed. That means ensuring that all required information is kept, while the data that’s considered a liability and that you’re no longer required to keep is deleted.

You can set up Teams retention policies for chat and channel messages, and you can apply a Teams retention policy to your entire organization or to specific users and teams. When data is subject to a retention policy, users can continue to work with it because the data is retained in place, in its original location. If a user edits or deletes data that’s subject to the retention policy, a copy is saved to a secure location where it’s retained while the policy is in effect.

All data is retained for compliance reasons and is available for eDiscovery until the retention period expires, after which your policy indicates whether to do nothing or delete the data. With a Teams retention policy, when you delete data, it’s permanently deleted from all storage locations on the Teams service.

Staying productive while minimizing risk

Working remotely helps your employees stay healthy, productive, and connected, and you can keep them productive without increasing risk or compromising compliance. For more guidance around supporting a remote work environment in today’s challenging climate, check out our Remote Work or Remote Work Tech Community sites.

The post Protecting your data and maintaining compliance in a remote work environment appeared first on Microsoft Security.

Turning collaboration and customer engagement up with a strong identity approach

April 6th, 2020 No comments

In these challenging times, it’s even more apparent that modern companies are managing a blended workforce that encompasses not only their full-time staff and customers but also their contractors, consultants, subsidiaries, suppliers, partners, and soon-to-be customers. Balancing friction-less collaboration and highly targeted engagement with privacy and security is not easy, but you don’t have to go it alone.

Now more than ever, reusing rather reinventing is critical. When it comes to connecting to business partners or your customers, consumers, or citizens, you don’t need to create an identity management solution from scratch—you can leverage cloud based identity and access management (IAM) and customer IAM (CIAM) for better engagement with all of your cohorts.

The new world of work

Even before workers transitioned home in large numbers, IT leaders were facing rapidly transitioning work models fueled by an increase in remote working, freelancer exchanges and platforms, and a geographically-distributed workforce—trends that are only accelerated today by the uncommon circumstances imposed by COVID-19. Concurrently, interconnected and complex supply chain bring partners and suppliers directly into the business, where closer coordination is more important than ever. To get an idea for just how “into the business” that means, according to February 2020 Microsoft research, powered by Pulse, IT executives reported that 55 percent of external users outside their organizations belong to other businesses—for example, commercial customers, partners, and suppliers. And 98 percent of those respondents agreed that deepening collaboration and engagement with customers and business partners is how their company will be successful.

The net is that with all these entities logging into multiple corporate networks and segments, for many CISOs, “insider risk” includes a much broader set of actors than just the full-time workforce. And those CISOs are very concerned about insider risk—with 97 percent recently reporting that as their top concern. That’s why a flexible IAM solution is so important right now, because implemented properly, it allows companies to engage and interact effectively with all cohorts while also keeping organizations and data private and secure. Let’s take a closer look at how.

Turning external collaboration up

There are many benefits of using a trusted CIAM solution, here’s a short list of the ones I’ve heard from CISOs are the most valuable.

  • Persistent identities—Almost everyone already has a digital presence and at least one associated ID from Google, Facebook, or Microsoft. Using persistent IDs means that customers and partners can re-use their exiting identity and don’t have to worry about creating an entirely new login and password. This reduces friction and improves security.
  • Data transparency—When people use the same ID across multiple business and organizational systems, both they and the company have a more efficient method for reporting on data use and access. It also means that when a user request that their history be wiped or corrected, they can easily confirm that appropriate action has been taken.
  • Better audit trails—Using those same IDs also supports compliance reporting, audit trails, and forensic investigations. Rather than having to stitch together multiple IDs to determine the path of an incident, like a data exfiltration event, security professionals can follow activity of a single target ID. This also streamlines compliance reporting activity reducing burdens on already overworked staff.
  • Improved security—Allowing partners and customers to bring their own ID also means that robust, enterprise-ready security can be brought along. Advanced technologies like multi-factor authentication (MFA) and conditional access with step-up authentication can be applied to all users, even those that don’t work for large companies with mature identity programs.
  • Enhanced experience—The best security professionals know that technology that makes users’ lives easier is the most effective. All of the above directly impact security, but if customers and partners aren’t excited about using a solution, they’ll go around it. Make sure low friction end-user experiences are supported across varied experiences from artificial intelligence (AI)-led guidance to new product and service recommendations.

In the coming days, we will share more guidance on how to collaborate securely with your business partners and other external users. Learn more about how security professionals can adapt to the increasing usage of collaboration applications and leverage risk-based Conditional Access for real-time deflection of dynamic attacks today. We hope these recommendations will help you enable uninterrupted operations for your organization in these challenging times. Stay safe and be well.

The post Turning collaboration and customer engagement up with a strong identity approach appeared first on Microsoft Security.

Microsoft Defender ATP can help you secure your remote workforce

April 3rd, 2020 No comments

As the number of home-based workers has accelerated in the last few weeks, it’s introduced new challenges. You may want to expand the number and types of devices employees can use to access company resources. You need to support a surge in SaaS usage. And it’s important to adjust security policies to enable productivity from home, while keeping sensitive data secure. As you navigate these changes, turn to us for help. Microsoft Defender Advanced Threat Protection (ATP) customers can expect the following:

  • Coverage for additional devices without requiring additional licenses.
  • Guidance and support services to rapidly expand deployment.
  • Proactive and reactive assistance to help security teams identify, respond to, and remediate threats.

Read Secure your remote workforce with Microsoft Defender ATP for details.

The post Microsoft Defender ATP can help you secure your remote workforce appeared first on Microsoft Security.

Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team

April 2nd, 2020 No comments

Recently, we published our first case report (001: …And Then There Were Six) by the Microsoft Detection and Response Team (DART). We received significant positive response from our customers and colleagues and our team has been getting inquiries asking for more reports. We are glad to share the DART Case Report 002: Full Operational Shutdown.

In the report 002, we cover an actual incident response engagement where a polymorphic malware spread through the entire network of an organization. After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week. In our report, you can read the details of the attack and how DART responded, review the attack lateral progression diagram and learn best practices from DART experts.

Stay tuned for more DART case reports where you’ll find unique stories from our team’s engagements around the globe. As always, you can reach out to your Microsoft account manager or Premier Support contact for more information on DART services.

 

DART provides the most complete and thorough investigations by leveraging a combination of proprietary tools and Microsoft Security products, close connections with internal Microsoft threat intelligence and product groups, as well as strategic partnerships with security organizations around the world.

The post Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team appeared first on Microsoft Security.

Attack matrix for Kubernetes

April 2nd, 2020 No comments

Kubernetes, the most popular container orchestration system and one of the fastest-growing projects in the history of open source, becomes a significant part of many companies’ compute stack. The flexibility and scalability of containers encourage many developers to move their workloads to Kubernetes. While Kubernetes has many advantages, it also brings new security challenges that should be considered. Therefore, it is crucial to understand the various security risks that exist in containerized environments, and specifically in Kubernetes.

The MITRE ATT&CK® framework is a knowledge base of known tactics and techniques that are involved in cyberattacks. Started with coverage for Windows and Linux, the matrices of MITRE ATT&CK cover the various stages that are involved in cyberattacks (tactics) and elaborate the known methods in each one of them (techniques). Those matrices help organizations understand the attack surface in their environments and make sure they have adequate detections and mitigations to the various risks. MITRE ATT&CK framework tactics include:

  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Impact

When we in Azure Security Center started to map the security landscape of Kubernetes, we noticed that although the attack techniques are different than those that target Linux or Windows, the tactics are actually similar. For example, a translation of the first four tactics from OS to container clusters would look like 1. “initial access to the computer” becomes “initial access to the cluster”, 2. “malicious code on the computer” becomes “malicious activity on the containers”, 3. “maintain access to the computer” becomes “maintain access to the cluster”, and 4. “gain higher privileges on the computer” becomes “gain higher privileges in the cluster”.

Therefore, we have created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes.

Image: Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Impact Using Cloud credentials Exec into container Backdoor container Privileged container Clear container logs List K8S secrets Access the K8S API server Access cloud resources Data Destruction Compromised images in registry bash/cmd inside container Writable hostPath mount Cluster-admin binding Delete K8S events Mount service principal Access Kubelet API Container service account Resource Hijacking Kubeconfig file New container Kubernetes CronJob hostPath mount Pod / container name similarity Access container service account Network mapping Cluster internal networking Denial of service Application vulnerability Application exploit (RCE) Access cloud resources Connect from Proxy server Applications credentials in configuration files Access Kubernetes dashboard Applications credentials in configuration files Exposed Dashboard SSH server running inside container Instance Metadata API Writable volume mounts on the host Access Kubernetes dashboard Access tiller endpoint

As can be seen, the matrix contains the 9 tactics listed above. Each one of them contains several techniques that can be used by attackers to achieve different goals. Below are the descriptions of each one of the techniques.

  1. Initial Access

The initial access tactic consists of techniques that are used for gaining access to the resource. In containerized environments, those techniques enable first access to the cluster. This access can be achieved directly via the cluster management layer or, alternatively, by gaining access to a malicious or vulnerable resource that is deployed on the cluster.

  • Using cloud credentials

In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.

  • Compromised images in registry

Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.

Building images based on untrusted base images can also lead to similar results.

  • Kubeconfig file

The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., “az aks get-credential” for AKS or “gcloud container clusters get-credentials” for GKE).

If attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.

  • Vulnerable application

Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.

  • Exposed dashboard

The Kubernetes dashboard is a web-based user interface that enables monitoring and managing a Kubernetes cluster. By default, the dashboard exposes an internal endpoint (ClusterIP service). If the dashboard is exposed externally, it can allow unauthenticated remote management of the cluster.

  1. Execution

The execution tactic consists of techniques that are used by attackers to run their code inside a cluster.

  • Exec into container

Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.

  • New container

Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \ ReplicaSet\ Deployment) can create a new resource for running their code.

  • Application exploit

An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.

  • SSH server running inside container

SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.

  1. Persistence

The persistence tactic consists of techniques that are used by attackers to keep access to the cluster in case their initial foothold is lost.

  • Backdoor container

Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.

  • Writable hostPath mount

hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.

  • Kubernetes CronJob

Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

  1. Privilege escalation

The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources.

  • Privileged container

A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod’s service account, for example), can get access to the host’s resources.

  • Cluster-admin binding

Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

  • hostPath mount

hostPath mount can be used by attackers to get access to the underlying host and thus break from the container to the host. (See “3: Writable hostPath mount” for details).

  • Access cloud resources

If the Kubernetes cluster is deployed in the cloud, in some cases attackers can leverage their access to a single container in order to get access to other cloud resources outside the cluster. For example, in AKS each node contains service principal credential that is stored in /etc/kubernetes/azure.json. AKS uses this service principal to create and manage Azure resources that are needed for the cluster operation.

By default, the service principal has contributor permissions in the cluster’s Resource Group. Attackers who get access to this service principal file (by hostPath mount, for example) can use its credentials to access or modify the cloud resources.

  1. Defense evasion

The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their activity.

  • Clear container logs

Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.

  • Delete Kubernetes events

A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a pod scheduling on a node.

Kubernetes events can be very useful for identifying changes that occur in the cluster. Therefore, attackers may want to delete these events (e.g., by using: “kubectl delete events–all”) in an attempt to avoid detection of their activity in the cluster.

  • Pod / container name similarity

Pods that are created by controllers such as Deploymen or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.

Also, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.

  • Connect from proxy server

Attackers may use proxy servers to hide their origin IP. Specifically, attackers often use anonymous networks such as TOR for their activity. This can be used for communicating with the applications themselves or with the API server.

  1. Credential access

The credential access tactic consists of techniques that are used by attackers to steal credentials.

In containerized environments, this includes credentials of the running application, identities, secrets stored in the cluster, or cloud credentials.

  • List Kubernetes secrets

A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

  • Mount service principal

When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential. (See “4: Access cloud resources” for more details.)

  • Access container service account

Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \ ClusterRoleBindings that are associated with it.

  • Application credentials in configuration files

Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.

  1. Discovery

The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources.

  • Access the Kubernetes API server

The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.

  • Access Kubelet API

Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.

  • Network mapping

Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.

  • Access Kubernetes dashboard

The Kubernetes dashboard is a web-based UI that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (kubernetes-dashboard) with the permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard’s identity.

  • Instance Metadata API

Cloud providers provide instance metadata service for retrieving information about the virtual machine, such as network configuration, disks, and SSH public keys. This service is accessible to the VMs via a non-routable IP address that can be accessed from within the VM only. Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. For example, in Azure, the following request would retrieve all the metadata information of an instance: http:///metadata/instance?api-version=2019-06-01

  1. Lateral movement

The lateral movement tactic consists of techniques that are used by attackers to move through the victim’s environment. In containerized environments, this includes gaining access to various resources in the cluster from a given access to one container, gaining access to the underlying node from a container, or gaining access to the cloud environment.

  • Access cloud resources

Attackers may move from a compromised container to the cloud environment. (See “4: Access cloud resources” for details).

  • Container service account

Attackers who gain access to a container in the cluster may use the mounted service account token for sending requests to the API server, and gaining access to additional resources in the cluster. (See “6: Access container service account” for more details.)

  • Cluster internal networking

Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.

  • Applications credentials in configuration files

Developers store secrets in the Kubernetes configuration files, for example, as environment variables in the pod configuration. Using those credentials attackers may gain access to additional resources inside and outside the cluster. (See “6: Application credentials in configuration files” for more details.)

  • Writable volume mounts on the host

Attackers may attempt to gain access to the underlying host from a compromised container. (See “3: Writable hostPath mount” for more details.)

  • Access Kubernetes dashboard

Attackers who have access to the Kubernetes dashboard may manage the cluster resources and also run their code on the various containers in the cluster using the built-in “exec” capability of the dashboard. (See “7: Access Kubernetes dashboard” for more details.)

  • Access tiller endpoint

Helm is a popular package manager for Kubernetes maintained by CNCF. Tiller is the server-side component of Helm up to version 2.

Tiller exposes internal gRPC endpoint in the cluster, listens to port 44134. By default, this endpoint does not require authentication. Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges.

  1. Impact

The Impact tactic consists of techniques that are used by attackers to destroy, abuse, or disrupt the normal behavior of the environment.

  • Data destruction

Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.

  • Resource hijacking

Attackers may abuse a compromised resource for running tasks. A common abuse is to use compromised resources for running digital currency mining. Attackers who have access to a container in the cluster or have permissions to create new containers may use them for such activity.

  • Denial of service

Attackers may attempt to perform a denial of service attack, which makes the service unavailable to the legitimate users. In container clusters, this include attempts to block the availability of the containers themselves, the underlying nodes, or the API server.

Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. The matrix that was presented above can help organizations identify the current gaps in their defenses’ coverage against the different threats that target Kubernetes. Azure Security Center can help you protect your containers environment. Learn more about Azure Security Center’s support for container security.

The post Attack matrix for Kubernetes appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity Tags:

Zero Trust framework to enable remote work

April 2nd, 2020 No comments

Zero Trust Assessment tool now live!

With such a large influx of employees working remotely, many of the traditional network-based security controls are unable to protect the organization. For many organizations, there are two options: route all remote traffic through a strained legacy network architecture, resulting in poor performance and user productivity; or relax restrictions and risk losing protection, control, and visibility. Many organizations are turning to Zero Trust security framework to better support remote work and manage risk.

The Zero Trust security framework helps organizations effectively meet these challenges by gating access to resources individually using granular access policies that take advantage of dynamic user and device risk signals and other telemetry to make more adaptive access decisions.

Support for your Zero Trust journey

Getting started on your Zero Trust journey can be daunting, but we’re here to help. We’ve created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust journey. Our assessment tool will help you assess your readiness across identities, devices, apps, infrastructure, network and data, and then provide go-dos and deployment guidance to help you reach key milestones.

 

Every company is at a different stage of their Zero Trust journey. Given the current situation with remote work, maybe you are working to unify your identity management to enable single sign-on (SSO), or you are digging into projects like multi-factor authentication (MFA) or desktop virtualization. Maybe identity and device management are your top priorities right now. Every IT leader needs to define the priorities to enable productivity from anywhere across their organization’s workforce depending on the situation. We understand and we’re here to help.

We recently published Microsoft Zero Trust Maturity Model vision paper detailing the core principles of Zero Trust, along with our maturity model, which breaks down the top level requirements across each of the six foundational elements.

Upcoming, we’ll be publishing deployment guides for each of the foundational elements. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust framework to enable remote work appeared first on Microsoft Security.

Welcoming a more diverse workforce into cybersecurity: expanding the pipeline

March 31st, 2020 No comments

Despite much focus on increasing the number of women in cybersecurity, as an industry we are still falling short. For many companies the problem starts with the tech pipeline—there just aren’t enough resumes from qualified female candidates. But I think the real problem is that our definition of qualified is too narrow. It’s so narrow that many women and people from other underrepresented backgrounds don’t identify with cybersecurity. And it limits our ability to evaluate potential defenders. Hiring managers too often reject excellent candidates who don’t check all the boxes. At Fortalice, we do things differently, and as a result nearly 40 percent of our team are women.

During Women in Cybersecurity month, Microsoft is publishing blogs by female cybersecurity leaders who have advice on how to increase the number of women in the field. Last week, Diana Kelley wrote about how to create a culture that helps people of all of backgrounds thrive. In this post, I’ll share four tips for recruiting more women.

It starts with commitment

Increasing diversity requires focus and attention. If you sit back and passively wait for the right resumes to land in your inbox, nothing will change. Much of this starts with the executive team making a concerted effort to take a stand and ask themselves and their organization why they don’t have more women on their teams. Diana’s blog does a great job of walking through some of the cultural aspects that make it hard for diversity to thrive. With the right commitment, you can put structures in place to find the people that you want.

With the coronavirus outbreak around the world, pay attention to your commitment to allow flexible schedules and the flexibility to work from home. Your female employee may be a caregiver to a parent or might be working from home while her children are remote schooling.

Expand the criteria

Cybersecurity is noble work. Every day we defend privacy and protect identities. We use creative problem-solving skills to outwit our adversaries and help people. It’s technical and analytical, yes, but it also takes interpersonal skills. Yet this isn’t how the public envisions cybersecurity. Most imagine a young white guy with poor social skills sitting in the dark, surrounded by more of the same—usually all wearing hoodies. It sounds boring, right? Is it any wonder that so many people opt out?

The stereotype discourages more diverse candidates from seeking us out, but we compound the problem with ridged job requirements. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees, and the same alphabet soup of certifications. While these are some of the indicators of a successful hire, they aren’t the only ones.

Expand your criteria. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating the adversary. Take a chance on people outside cybersecurity or who don’t have a college degree and invest in cross training. Some of my team members started out in a different field. Now they are among the best, most well-rounded defenders in the industry.

Start young

I went to high school at Marine Corps Base Quantico, which mandated a class in computer programming. Thanks to that class I discovered that I have an aptitude and passion for technology. I might not have ended up in cybersecurity if it weren’t for that class. I’m so grateful that the U.S. Marine Corps and the Department of Defense saw the value in us learning new technologies and made this non-negotiable. We need to take this lesson and apply it more broadly. Women who don’t start developing technical skills early are at a great disadvantage when they compete against others who learned to code when they were young.

One way to do this is with training programs for kids. I partnered with another cybersecurity female leader from Cisco and members of FBI InfraGard to found the InfraGard CyberCamp in North Carolina. The program provides security training, security tools training, forensic analysis, and other activities and is hosted at Microsoft’s Charlotte campus. To get the diversity we want, we go directly to the organizations that know girls, kids of color, LGBTQ youth, and economically disadvantaged kids and ask them to apply. The extra effort works; each year, the camp graduates 30 kids from all walks of life—male, female, and economically disadvantaged students included. As more security conferences look to create “hackathons” for middle and high school students, as well as scholarship programs for college students, they must deliberately foster diversity.

Provide a platform for your cybersecurity women

Many young women are looking for role models. They want to feel connected with their coworkers. Send women from your organization to recruiting events on college campus so prospective candidates can get to know your team. Elevate the female leaders at your company with articles or speaking roles at conferences.

As people see more women and other underrepresented groups in cybersecurity, stereotypes will be tested. This will encourage a diverse group of people to apply. We need them! Diversity will make us better at solving the complex problems inherent in cybersecurity.

Learn more

Fortalice started a group called Help a Sister Up on LinkedIn, #hasu. This space is dedicated to advancing women in technology and serves as a rallying point for them and their male advocates. We post job openings, articles, and avenues for discussion. Please join Help a Sister Up.

Theresa Payton is CEO and President of Fortalice—a group of “former White House cyber operatives and national security veterans who have honed our craft protecting people, business, and nations for decades.” Theresa was the first female CIO for the White House and was named One of the 7 Women at the Top of their Game by Meeting Magazines.

The post Welcoming a more diverse workforce into cybersecurity: expanding the pipeline appeared first on Microsoft Security.

Making it easier for your remote workforce to securely access all the apps they need, from anywhere

March 31st, 2020 No comments

Since I published my last blog, Five identity priorities for 2020, COVID-19 has upended the way we work and socialize. Now that physical distancing has become essential to protect everyone’s health, more people than ever are going online to connect and get things done. As we all adjust to a new daily routine, the organizations we work for are turning to technology to help us collaborate and stay productive. In these challenging times, identity can make life simpler, both for people working from home and for IT administrators charged with keeping their environments secure.

In my previous blog, I advised connecting all applications and cloud resources to Azure Active Directory (Azure AD). If you’re like most organizations, your employees use a lot of apps, from popular software-as-a-service (SaaS) apps—including collaboration services like Zoom, Cisco Webex, Workplace from Facebook, or Box—to legacy web and on-premises applications. Making Azure AD the control plane across all your apps helps ensure your employees working from home have secure, seamless access to the tools and resources they need, while protecting those tools and resources from unauthorized access.

Making it easy for remote workers to access the apps they need

When you connect your apps to Azure AD, your employees only need to sign in once to access them, and they only need one set of credentials. To make on-premises web apps available without a cumbersome VPN, you can use Azure AD Application Proxy, while tools from our secure hybrid access partners like can provide access to. To get productive from wherever they are, your employees simply go to the My App Portal, where they can find all the apps they have your permission to use.

Screenshot showing apps in the My Apps portal.

Figure 1: Users can sign in once and access all the apps they need in a central place, the My Apps portal.

Enabling consistent, strong security across all your apps

With Azure AD, enabling productivity doesn’t shortchange security. Once you’ve connected your apps to Azure AD, you can apply custom security policies across your entire digital estate. Since even complex passwords get stolen, we recommend enforcing multi-factor authentication (MFA) for all accounts and applying Conditional Access policies for adaptive granular access controls. For example, when a user signs in, policies can determine whether to allow, limit, or block access based on their location, whether their device is compliant, and which app they’re trying to access.

Additionally, Microsoft Intune App Protection Policies can provide application-level controls and compliance, while maintaining a great user experience on any device. Intune app configuration policies can help keep work data safe by controlling or stopping people from sharing work data outside of trusted apps assigned to them.

Increasing IT efficiency with self-service and automation​

To reduce the burden on IT, Azure AD offers several tools to simplify management. Self-Service Password Reset lets users manage passwords on their own. Pre-integrated applications make it easy to enable single sign-on (SSO) with just a few clicks (Figure 2). Some companies, to help serve their communities. Automated provisioning of user accounts and apps makes onboarding significantly faster, so those new workers can get productive right away. For one customer, Mattress Firm, adding a new employee to their HR system automatically provisions their Azure AD user account and assigns them access to the appropriate applications within four hours.

Screenshot showing apps in the Azure AD Gallery.

Figure 2: Configure your apps for secure, seamless access with just a couple clicks.

Get free assistance connecting your apps to Azure AD

Many of our customers are moving rapidly to enable secure remote work during this current crisis, and we want to make sure you have everything you need. If you have subscriptions to Office 365 or Azure, you can use Azure AD to configure secure SSO for your 10 most critical apps for free. A license for Microsoft 365 gives you full access to Azure AD. For all our customers, we also offer complimentary deployment assistance through our FastTrack program.

As unprecedented numbers of people work remotely, the right tools, including Azure AD, can help keep them both protected and productive. Whatever your circumstances, we’re here to help. You can reach us via Twitter: @AzureAD.

Learn more

Learn how to use Azure AD to connect your workforce to all the apps they need from anywhere.

 

*This offer includes MFA via the Microsoft Authenticator app only.

The post Making it easier for your remote workforce to securely access all the apps they need, from anywhere appeared first on Microsoft Security.

Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios

March 26th, 2020 No comments

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are now rethinking their network infrastructure design to address these issues, especially for applications like Microsoft Teams and Office 365. At Microsoft, for example, we adopted split tunneling as part of our VPN strategy. Our customers have asked us for guidance on how to manage security in this changing environment.

An architecture that routes all remote traffic back to the corporate network was originally intended to provide the security team with the following:

  • Prevention of unauthorized access
  • Control of authorized user access
  • Network protections such as Intrusion Detection/Prevention (IDS/IPS) and Distributed Denial of Service (DDoS) mitigation
  • Data loss prevention (DLP)

In this post, we’ll address alternative ways of achieving modern security controls, so security teams can manage risk in a more direct-to-internet network architecture.

Prevention of unauthorized access

Multi-factor authentication (MFA) helps increase authentication assurance. We recommend requiring it for all users. If you are not ready to deploy to all users, consider entering an emergency pilot for higher risk or more targeted users. Learn more about how to use Azure Active Directory (Azure AD) Conditional Access to enforce MFA. You will also want to block legacy authentication protocols that allow users to bypass MFA requirements.

Control of authorized user access

Ensure only registered devices that comply with your organization’s security policies can access your environment, to reduce the risk that would be posed by resident malware or intruders. Learn more about how to use Azure AD Conditional Access to enforce device health requirements. To further increase your level of assurance, you can evaluate user and sign-on risk to block or restrict risky user access. You may also want to prevent your users from accessing other organizations’ instances of the Office 365 applications. If you do this with Azure AD tenant restrictions, only logon traffic needs to traverse the VPN.

Network protections

Some of the protections that you may have traditionally provided by routing traffic back through your corporate network can now be provided by the cloud apps your users are accessing. Office 365, for example, is globally distributed and designed to allow the customer network to route user requests to the closest Office 365 service entry point. Learn more about Office 365 network connectivity principles. We build resiliency into Office 365 to minimize potential disruption. We protect Office 365 and Azure from network attacks like DDoS on behalf of our customers.

With the above controls in place, you may be ready to route remote users’ traffic directly to Office 365. If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling.

We strongly recommend that you review VPN and VPS infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers. Microsoft Threat Intelligence teams have observed multiple nation state and cybercrime actors targeting unpatched VPN systems for many months. In October 2019, both the National Security Agency and National Cyber Security Centre issued alerts on these attacks. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published useful guidance on securing VPN/VPS infrastructure.

DLP

To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of built-in tools. You can use the built-in DLP capabilities of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use Conditional Access App Control to prevent sensitive data from being downloaded to users’ personal devices.

Malware detection

By default, SharePoint Online automatically scans file uploads for known malware. Enable Exchange Online Protection to scan email messages for malware. If your Office 365 subscription includes Office 365 Advanced Threat Protection (ATP), enable it to provide advanced protection against malware. If your organization uses Microsoft Defender ATP for endpoint protection, remember that each user is licensed for up to five company-managed devices.

Additional resources

The post Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios appeared first on Microsoft Security.

Welcoming and retaining diversity in cybersecurity

March 24th, 2020 No comments

I doubt I’d be in the role I am now if leaders at one of my first jobs hadn’t taken an interest in my career. Although I taught myself to code when I was young, I graduated from college with a degree in English Literature and began my post-college career in editorial. I worked my way up to Assistant Editor at a math and science college textbook publisher located in Boston, Massachusetts. I was responsible for acquisitions and training on the software that that the company distributed with its textbooks. The senior editors sent me to a conference in Florida to train the sales team on how to present the software to professors. This is where I met Jennifer. Jennifer headed up the network and IT support for our California parent company, and because we shared a room at the conference hotel, we got to know each other, and she saw me present. This interaction proved pivotal. When the publisher created a new position to support a network of AS/400s, Jennifer talked me into applying—and yes, she did have to talk me into it! Like a lot of young professionals, I was intimidated to take on such a different role. But I’m so glad she was looking out for me. It was the start of my career in technology, which ultimately led me to Microsoft.

My experience is a great example of how individuals and company culture can influence the trajectory of someone’s career. To celebrate Women in Cybersecurity month, Microsoft is exploring tactics to increase diversity in the tech industry. In the first post in the series, Ann Johnson wrote about mentorship. In this post, I share some ideas for cultivating the diverse talent that already work at your company to build a strong and diverse leadership team.

Retention is as important as recruitment

When we talk about the lack of diversity in tech, much of the conversation focuses around hiring. And it’s true that we need to dramatically increase the number of women, non-binary, and people of color that we recruit. But if we want to create more diverse technology teams, we also need to address the talent drain. Too often smart technologists with nontraditional backgrounds drop out of STEM careers. Studies have shown that up to 52 percent of women leave technology fields. This is nearly double the percentage of men who quit tech. And for those who think it’s because women don’t enjoy technology, 80+ percent of women in STEM say they love their work. The problem often comes down to culture. Which means it’s something we can fix! I’ve worked with and managed many neuro-diverse teams and here’s what I’ve seen work.

People aren’t books

One of the most famous pictures of Einstein shows him with his hair in disarray, sticking his tongue out. If you didn’t know he was one of the greatest thinkers in the world, you might assume he wasn’t the fastest electron in the universe. Or what does it say that many of us didn’t discover Katharine Johnson, another brilliant physicist, until 2017 when the movie “Hidden Figures” was released.

Our collective mental model for what an engineer or scientist is supposed to look and act like doesn’t reflect reality. Some people have purple hair, some like to work in yoga pants, some listen to loud music on headphones all day, or have creative face tattoos. And many are women or LGBTQ or people of color or disabled. People’s race, gender, appearance and work styles have no bearing on whether they are a hard worker or a valuable contributor. We know this, but often we don’t realize we’ve made a judgement based on unconscious biases.

How to address: Don’t judge people by their “covers.” This starts by acknowledging that your biases may not be explicit or intentional, but they still exist. Listen to what people say. Evaluate the work they produce. Observe how they collaborate with others. These are the indicators of the value they bring. And keep in mind that people who’ve been conditioned to believe that technology isn’t for them, may not exhibit the level of confidence you expect. It doesn’t mean they can’t do it. They may just need a little more encouragement (thank you, Jennifer!).

Women often leave jobs because they feel stalled in their careers. In one study, 27 percent of U.S. women said they feel stalled and 32 percent were considering quitting in the next year. For a variety of reasons, unconscious bias results in straight white men getting more opportunities on high profile projects, more ideas greenlit, and faster promotions. As a result, women get discouraged, do not feel supported and look for other opportunities. That is why in the previous blog, we focused on mentorship.

How to address: Be a champion for women and other underrepresented groups in your company. My relationship with Jennifer is a great example of this. She took an interest in my career, identified an opportunity and helped me get to the next rung. Our relationship was informal, but you can also create a structured sponsorship program. The goal is to go beyond mentorship and become an advocate for promising women, people of color, and other underrepresented groups. Use your influence to get them the right projects, the right advice, and the right exposure to help them advance their careers.

Nurture unique thinkers

Back when I was a manager at KPMG, we used to try to hire people who “think outside the box.” But the tricky part about hiring out of the box thinkers is that their ideas are, well, outside the box. Organizations often think they want people to shake things up but in practice many are uncomfortable being challenged. This leads them to quickly shut down bold new ideas. When original thinkers don’t feel valued, they take all that innovation and creativity elsewhere.

How to address: Build a culture of inclusion where everyone has a chance to share. Not every idea is great; in my career I’ve had more than my share of bad ones! But you should listen to and consider all opinions—even if they seem a little off the wall. It doesn’t mean you have to move them all forward, but sometimes an idea that sounds outlandish one day starts to make sense after a good night’s sleep. Or take a page from the women in the Obama administration and amplify ideas that have been overlooked.

Respect the hours

Not everyone can commit to a regular eight in the morning to six in the evening work week. Many people care for children, sick spouses, and elderly parents—being a caretaker is a skill in and of itself! In fact, this quality of being a caretaker is something that in most technology roles can be a valued asset. In addition to being a caretaker, others can’t work “regular” weeks because they’re finishing degrees or have other time challenges and commitments.

Varied approaches to time also apply to project milestones. People deal with deadlines differently—some get stressed if the deadline is too close (like me!) and do their work in advance, others need that adrenaline pump and wait until (almost) the last minute to deliver.

How to address: Institute and support flexible work hours, job sharing (two people share the same job, both doing it half-time), or three weeks on/one week off work schedules that enable people to contribute without requiring them to keep the same hours as everyone else. Trust that people can be productive even if they don’t work the same way or at the same time as your typical employee.

To build a diverse, experienced team of leaders, you need an environment that supports and accepts differences of all kinds. Don’t let bias about gender, appearance, or the hours someone can work get in the way of nurturing all those great hires into the next generation of great leaders. Our senior director for our cybersecurity operations team, Kristina, looks for diversity as this helps with managing the diversity of threats. Listen to her thoughts on diversity in our CISO Spotlight Episode 7.

What’s next

For those interested in how to find more diverse talent, next week Theresa Payton will share ideas from her experience recruiting girls, women, and other people with differing backgrounds into technology.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Welcoming and retaining diversity in cybersecurity appeared first on Microsoft Security.

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.