Archive

Archive for the ‘Cybersecurity Policy’ Category

The psychology of social engineering—the “soft” side of cybercrime

June 30th, 2020 No comments

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.

Empowering your remote workforce with end-user security awareness

May 13th, 2020 No comments

COVID-19 has rapidly transformed how we all work. Organizations need quick and effective user security and awareness training to address the swiftly changing needs of the new normal for many of us. To help our customers deploy user training quickly, easily and effectively, we are announcing the availability of the Microsoft Cybersecurity Awareness Kit, delivered in partnership with Terranova Security. For those of you ready to deploy training right now, access your kit here. For more details, read on.

Work at home may happen on unmanaged and shared devices, over insecure networks, and in unauthorized or non-compliant apps. The new environment has put cybersecurity decision-making in the hands of remote employees. In addition to the rapid dissolution of corporate perimeters, the threat environment is evolving rapidly as malicious actors take advantage of the current situation to mount coronavirus-themed attacks. As security professionals, we can empower our colleagues to protect themselves and their companies. But choosing topics, producing engaging content, and managing delivery can be challenging, sucking up time and resources. Our customers need immediate deployable and context-specific security training.

CYBERSECURITY AWARENESS KIT

At RSA 2020 this year, we announced our partnership with Terranova Security, to deliver integrated phish simulation and user training in Office 365 Advanced Threat Protection later this year. Our partnership combines Microsoft’s leading-edge technology, expansive platform capabilities, and unparalleled threat insights with Terranova Security’s market-leading expertise, human-centric design and pedagogical rigor. Our intelligent solution will turbo-charge the effectiveness of phish simulation and training while simplifying administration and reporting. The solution will create and recommend context-specific and hyper-targeted simulations, enabling you to customize your simulations to mimic real threats seen in different business contexts and train users based on their risk level. It will automate simulation management from end to end, providing robust analytics to inform the next cycle of simulations and enable rich reporting.

Our Cybersecurity Awareness Kit now makes available a subset of this user-training material relevant to COVID-19 scenarios to aid security professionals tasked with training their newly remote workforces. The kit includes videos, interactive courses, posters, and infographics like the one below. You can use these materials to train your remote employees quickly and easily.

Beware of COVID-19 Cyber Scams

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the Microsoft 365 security portal, where the training are hosted as seen below. All authenticated Microsoft 365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the M365 security portal, where the trainings are hosted as seen below. All authenticated M365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

ACCESSING THE KIT

All Microsoft 365 customers can access the kit and directions on the Microsoft 365 Security and Compliance Center through this link. If you are not a Microsoft 365 customer or would like to share the training with family and friends who are not employees of your organization, Terranova Security is providing free training material for end-users.

Deploying quick and effective end-user training to empower your remote workforce is one of the ways Microsoft can help customers work productively and securely through COVID-19. For more resources to help you through these times, Microsoft’s Secure Remote Work Page for the latest information.

The post Empowering your remote workforce with end-user security awareness appeared first on Microsoft Security.

Managing risk in today’s IoT landscape: not a one-and-done

April 28th, 2020 No comments

image for Halina's Blog Post_updated-BANNER

The reality of securing IoT over time

It’s difficult to imagine any aspect of everyday life that isn’t affected by the influence of connectivity. The number of businesses that are using IoT is growing at a fast pace. By 2021, approximately 94 percent of businesses will be using IoT. Connectivity empowers organizations to unlock the full potential of the Internet of Things (IoT)—but it also introduces new cybersecurity attack vectors that they didn’t need to think about before. The reality is, connectivity comes at a cost: attackers with a wide range of motivations and skills are on the hunt, eager to exploit vulnerabilities or weak links in IoT. What does it take to manage those risks?

The cybersecurity threat landscape is ever evolving so a solution’s protection must also evolve regularly in order to remain effective. Securing a device is neither a one-time action nor is it a problem that is solely technical in nature. Implementing robust security measures upfront is not enough—risks need to be mitigated not just once, but constantly and throughout the full lifespan of a device. Facing this threat landscape ultimately means acknowledging that organizations will have to confront the consequences of attacks and newfound vulnerabilities. The question is, how to manage those risks beyond the technical measures that are in place?

A holistic approach to minimizing risk

Securing IoT devices against cyberattacks requires a holistic approach that complements up-front technical measures with ongoing practices that allow organizations to evaluate risks and establish a set of actions and policies that minimize threats over time. Cybersecurity is a multi-dimensional issue that requires the provider of an IoT solution to take several variables into account—it is not just the technology, but also the people who create and manage a product and the processes and practices they put in place, that will determine how resilient it is.

With Azure Sphere, we provide our customers with a robust defense that utilizes the evidence and learnings documented in the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state even after it has been compromised. As the threat landscape evolves, renewable security also enables us to counter new attack vectors through updates. This is essential, but not sufficient on its own. Our technology investments are enhanced through similar investments in security assurance and risk management that permeate all levels of an organization. The following sections highlight three key elements of our holistic approach to IoT security: continuous evaluation of our security promise, leveraging the power of the security community, and combining cyber and organizational resilience. 

Continuous evaluation of our security promise

All cyberattacks fall somewhere on a spectrum of complexity. On one side of the spectrum are simple and opportunistic attacks. Examples are off-the-shelf malware or attempts to steal data such as credentials. These attacks are usually performed by attackers with limited resources. On the opposite side of the spectrum are threat actors that use highly sophisticated methods to target specific parts of the system. Attackers within this category usually have many resources and can pursue an attack over a longer period of time. Given the multitude of threats across this spectrum, it is important to keep in mind that they all have one thing in common: an attacker faces relatively low risk with potentially very large rewards.

Taking this into account, we believe that in order to protect our customers we need to practice being our own worst enemy. This means our goal is to discover any vulnerabilities before the bad guys do. One proven approach is to test our solution from the same perspective as an attacker. So-called “red teams” are designed to emulate the attacks of adversaries, whereas “purple teams” perform both attacking and defending to harden a product from within.

Our approach to red team exercises is to try to mimic the threat landscape that devices are actually facing. We do this multiple times a year and across the full Azure Sphere stack. This means that our customers benefit from the rigorous security testing of our platform and are able to focus on the security of their own applications. We work with the world’s most renowned security service providers to test our product with a real-world attacker mentality for an extended period of time and from multiple perspectives. In addition, we leverage the full power of Microsoft internal security expertise to conduct regular internal red and purple team exercises. The practice of constantly evaluating our defense and emulating the ever-evolving threat landscape is an important part of our security hygiene—allowing us to find vulnerabilities, update all devices, and mitigate incidents before they even happen.

Leveraging the power of the security community

Another approach to finding vulnerabilities before attackers do is to engage with the cybersecurity community through bounty programs. We encourage security researchers with an interest in Azure Sphere to search for any vulnerabilities and we reward them for it. While our approach to red team exercises ensures regular testing of how we secure Azure Sphere, we also believe in the advantages of the continual and diverse assessment by anyone who is interested, at any point in time.

Security researchers play a significant role in securing our billions of customers across Microsoft, and we encourage the responsible reporting of vulnerabilities based on our Coordinated Vulnerability Disclosure (CVD). We invite researchers from across the world to look for and report any vulnerability through our Microsoft Azure Bounty Program. Depending on the quality of submissions and the level of severity, we award successful reports with up to $40,000 USD. We believe that researchers should be rewarded competitively when they improve the security of our platform, and we maintain these important relationships for the benefit of our customers.

From a risk management perspective, both red and purple team exercises and bug bounties are helpful tools to minimize the risk of attacks. But what happens when an IoT solution provider is confronted with a newly discovered security vulnerability? Not every organization has a cybersecurity incident response plan in place, and 77 percent of businesses do not have a consistently deployed plan. Finding vulnerabilities is important, but it is equally important to prepare employees and equip the organization with processes and practices that allow for a quick and efficient resolution as soon as a vulnerability is found.

Combining cyber and organizational resilience

Securing IoT is not just about preventing attackers from getting in; it’s also about how to respond when they do. Once the technical barrier has been passed, it is the resilience of the organization that the device has to fall back on. Therefore, it is essential to have a plan in place that allows your team to quickly respond and restore security. There are countless possible considerations and moving parts that must all fit together seamlessly as part of a successful cybersecurity incident response. Every organization is different and there is no one-size-fits-all, but a good place to start is with industry best practices such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide. Azure Sphere’s standard operating procedures are aligned with those guidelines, in addition to leveraging Microsoft battle-tested corporate infrastructure.

Microsoft Security Response Center (MSRC) has been at the front line of security response for more than twenty years. Over time we have learned what it means to successfully protect our customers from harm from vulnerabilities in our products, and we are able to rapidly drive back attacks against our cloud infrastructure. Security researchers and customers are provided with an easy way to report any vulnerabilities and MSRC best-in-class security experts are monitoring communications 24/7 to make sure we can fix an issue as soon as possible.

Your people are a critical asset—when they’re educated on how to respond when an incident occurs, their actions can make all the difference. In addition to MSRC capabilities that are available at any time, we require everyone involved in security incident response to undergo regular and extensive training. Trust is easy to build when things are going right. What really matters in the long term is how we build trust when things go wrong. Our security response practices have been defined with that in mind.

Our commitment to managing the risks you are facing

The world will be more connected than it has ever been, and we believe this requires a strong, holistic, and ongoing focus on cybersecurity. Defending against today’s and tomorrow’s IoT threat landscape is not a static game. It requires continual assessment of our promise to secure your IoT solutions, innovation that improves our defense over time, and working with you and the security community. As the threat landscape evolves, so will we. Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. When you choose Azure Sphere, you can rely on our team and Microsoft to manage your risk so that you can focus on the true business value of your IoT solutions and products.

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Managing risk in today’s IoT landscape: not a one-and-done appeared first on Microsoft Security.

Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry

April 22nd, 2020 No comments

Over the last fifteen years, attacks against critical infrastructure (figure1) have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organizations are targeted by sophisticated, patient, and well-funded adversaries.  Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.

Aerial view of port and freeways leading to downtown Singapore.

Figure 1: Increased attacks on critical infrastructure

This is the third and final post in the “Defending the power grid against supply chain attacks” series. In the first blog I described the nature of the risk. Last month I outlined how utility suppliers can better secure the devices they manufacture. Today’s advice is directed at the utilities. There are actions you can take as individual companies and as an industry to reduce risk.

Implement operational technology security best practices

According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of hacking-related breaches are the result of weak or compromised passwords. If you haven’t implemented multi-factor authentication (MFA) for all your user accounts, make it a priority. MFA can significantly reduce the likelihood that a user with a stolen password can access your company assets. I also recommend you take these additional steps to protect administrator accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to your administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

 

Image 2

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks. 

  • You also don’t want the occasional security mistake like clicking on a link when administrators are tired or distracted to compromise the workstation that has direct access to these critical systems.  Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

The following security best practices will also reduce your risk:

  • Whitelist approved applications. Define the list of software applications and executables that are approved to be on your networks. Block everything else. Your organization should especially target systems that are internet facing as well as Human-Machine Interface (HMI) systems that play the critical role of managing generation, transmission, or distribution of electricity
  • Regularly patch software and operating systems. Implement a monthly practice to apply security patches to software on all your systems. This includes applications and Operating Systems on servers, desktop computers, mobile devices, network devices (routers, switches, firewalls, etc.), as well as Internet of Thing (IoT) and Industrial Internet of Thing (IIoT) devices. Attackers frequently target known security vulnerabilities.
  • Protect legacy systems. Segment legacy systems that can no longer be patched by using firewalls to filter out unnecessary traffic. Limit access to only those who need it by using Just In Time and Just Enough Access principles and requiring MFA. Once you set up these subnets, firewalls, and firewall rules to protect the isolated systems, you must continually audit and test these controls for inadvertent changes, and validate with penetration testing and red teaming to identify rogue bridging endpoint and design/implementation weaknesses.
  • Segment your networks. If you are attacked, it’s important to limit the damage. By segmenting your network, you make it harder for an attacker to compromise more than one critical site. Maintain your corporate network on its own network with limited to no connection to critical sites like generation and transmission networks. Run each generating site on its own network with no connection to other generating sites. This will ensure that should a generating site become compromised, attackers can’t easily traverse to other sites and have a greater impact.
  • Turn off all unnecessary services. Confirm that none of your software has automatically enabled a service you don’t need. You may also discover that there are services running that you no longer use. If the business doesn’t need a service, turn it off.
  • Deploy threat protection solutions. Services like Microsoft Threat Protection help you automatically detect, respond to, and correlate incidents across domains.
  • Implement an incident response plan: When an attack happens, you need to respond quickly to reduce the damage and get your organization back up and running. Refer to Microsoft’s Incident Response Reference Guide for more details.

Speak with one voice

Power grids are interconnected systems of generating plants, wires, transformers, and substations. Regional electrical companies work together to efficiently balance the supply and demand for electricity across the nation. These same organizations have also come together to protect the grid from attack. As an industry, working through organizations like the Edison Electric Institute (EEI), utilities can define security standards and hold manufacturers accountable to those requirements.

It may also be useful to work with The Federal Energy Regulatory Committee (FERC), The North American Electric Reliability Corporation (NERC), or The United States Nuclear Regulatory Commission (U.S. NRC) to better regulate the security requirements of products manufactured for the electrical grid.

Apply extra scrutiny to IoT devices

As you purchase and deploy IoT devices, prioritize security. Be careful about purchasing products from countries that are motivated to infiltrate critical infrastructure. Conduct penetration tests against all new IoT and IIoT devices before you connect them to the network. When you place sensors on the grid, you’ll need to protect them from both cyberattacks and physical attacks. Make them hard to reach and tamper-proof.

Collaborate on solutions

Reducing the risk of a destabilizing power grid attack will require everyone in the utility industry to play a role. By working with manufacturers, trade organizations, and governments, electricity organizations can lead the effort to improve security across the industry. For utilities in the United States, several public-private programs are in place to enhance the utility industry capabilities to defend its infrastructure and respond to threats:

Read Part 1 in the series: “Defending the power grid against cyberattacks

Read “Defending the power grid against supply chain attacks: Part 2 – Securing hardware and software

Read how Microsoft Threat Protection can help you better secure your endpoints.

Learn how MSRC developed an incident response plan

Bookmark the Security blog to keep up with our expert coverage on security matters. For more information about our security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry appeared first on Microsoft Security.

MITRE ATT&CK APT 29 evaluation proves Microsoft Threat Protection provides deeper end to end view of advanced threats

April 21st, 2020 No comments

As attackers use more advanced techniques, it’s even more important that defenders have visibility not just into each of the domains in their environment, but also across them to piece together coordinated, targeted, and advanced attacks. This level of visibility will allow us to get ahead of attackers and close the gaps through which they enter. To illustrate that imperative, the 2019 MITRE ATT&CK evaluation centered on an advanced nation-state threat actor known to the industry as Advanced Persistent Threat (APT) 29 (also known as Cozy Bear) which largely overlaps with the activity group that Microsoft calls YTTRIUM. . The test involved a simulation of 58 attacker techniques in 10 kill chain categories.

Microsoft participated in the second MITRE ATT&CK endpoint detection product evaluation published today. The evaluation is designed to test security products based on the ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework, which is highly regarded in the security industry as one of the most comprehensive catalog of attacker techniques and tactics. Threat hunters use this framework to look for specific techniques that attackers often use to penetrate defenses. Testing that incorporates a comprehensive view of an environment’s ability to monitor and detect malicious activity with the existing tools that defenders have deployed across an organization is critical.

Although this test was focused on endpoint detection and response, MITRE ran the simulated APT29 attack from end to end and across multiple attack domains, meaning defenders benefited from visibility beyond just endpoint protection. This gave Microsoft the unique opportunity to bring Microsoft Threat Protection (MTP) to the test.

Microsoft Threat Protection expands Microsoft Defender ATP from endpoint detection and response (EDR) to an extended detection and response (XDR) solution, and is designed to provide extended detection and response by combining protection for endpoints (Microsoft Defender ATP), email and productivity tools (Office 365 ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security/MCAS). As customers face attacks across endpoints, cloud, applications and identities, MTP looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

Microsoft Threat Protection delivers coverage across the entire kill chain, not just the endpoint

To fully execute the end to end attack simulation of APT29, MITRE required participants to turn off all proactive protection and blocking capabilities. For Microsoft Threat Protection, this meant that all the capabilities that would normally block this kind of attack such as automatic remediation flows, application isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus prevention were turned off. However, Microsoft Threat Protection audit capabilities for these features enabled recording of a variety of points during the attack when MTP (had it been fully enabled) would have prevented or blocked execution, likely stopping the attack in its tracks.

During this evaluation Microsoft Threat Protection delivered on providing the deep and broad optics, near real time detection through automation, and a complete, end-to-end view of the attack story. Here is how Microsoft Threat Protection stood out:

  • Depth and breadth of optics: Our uniquely integrated operating system, directory, and cloud sensors contributed deep and broad telemetry coverage. AI-driven, cloud-powered models collaborating across domains identified malicious activities and raised alerts on attacker techniques across the entire attack kill chain:
    • Microsoft Defender ATP recorded and alerted on endpoint activities including advanced file-less techniques, privilege escalation, and credential theft and persistence – leveraging deep sensors like AMSI, WMI, and LDAP.
    • Azure ATP watched and detected account compromise at the domain level, and lateral movement, such as pass-the-hash and the more sophisticated pass-the-ticket (Golden Ticket attack).
    • Microsoft Cloud App Security identified exfiltration of data to the cloud (OneDrive).
  • Detection and containment in near real time:Nation state attacks of this magnitude can take place over the course of as little as a few hours, which means that Security Operations Centers (SOCs) often have little to no time to respond. Near-real-time automated detection of advanced techniques is critical to address this challenge. Where possible, active blocking, prevention and automatic containment will make the difference between an attempted versus a successful compromise. MTP’s prevention capabilities along with fast detection and behavioral blocking are exactly designed for this purpose.
  • A complete attack story: Throughout this evaluation, Microsoft Defender ATP, Azure ATP, and Microsoft Cloud App Security, combined with the expertise of Microsoft Threat Experts generated nearly 80 alerts – for SOC teams, manually following up on each one of these alerts is overwhelming. MTP consolidated the alerts into just two incidents, dramatically simplifying the volume of triage and investigation work needed. This gives the SOC the ability to prioritize and address the incident as a whole and enables streamlined triage, investigation, and automated response process against the complete attack. With MTP we have built in automation that identifies the complex links between attacker activities and builds correlations across domains that piece together the attack story with all of its related alerts, telemetry, evidence and affected assets into coherent incidents. These comprehensive incidents are then prioritized and escalated to the SOC.

 

Microsoft Threat Experts, our managed threat hunting service, also participated in the evaluation this year. Our security experts watched over the signals collected in real time and generated comprehensive, complementary alerts, which enriched the automated detections with additional details, insights and recommendations for the SOC.

Real world testing is critical

Attackers are using advanced, persistent, and intelligent techniques to penetrate today’s defenses. This method of testing leans heavily into real-world exploitations rather than those found solely in a lab or simulated testing environment. Having been part of the inaugural round of the MITRE ATT&CK evaluation in 2018, Microsoft enthusiastically took on the challenge again, as we believe this to be a great opportunity, alongside listening to customers and investing in research, to continuously drive our security products to excellence and protect our customers.

This year, for the first time, we were happy to answer the community call from MITRE, alongside other security vendors, to contribute unique threat intelligence and research content about APT29, as well as in evolving the evaluation based on the experience and feedback from last year, yielding a very collaborative and productive process.

Thank you to MITRE and our customers and partners for your partnership in helping us deliver more visibility and automated protection, detection, response, and prevention of threats for our customers.

– Moti Gindi, CVP, Microsoft Threat Protection

The post MITRE ATT&CK APT 29 evaluation proves Microsoft Threat Protection provides deeper end to end view of advanced threats appeared first on Microsoft Security.

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.

Changing the Monolith—Part 3: What’s your process?

January 30th, 2020 No comments

In my 25-year journey, I have led security and privacy programs for corporations and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.

Here are a few tips to create teams unified around a common mission:

1. Define the mission and implement it like any other business plan

First, you must know what you are trying to achieve. Are you protecting trade secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer “All the above?” Define an order of risk magnitude.

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as “We want 100 percent security.” Explain what is realistic and offer your approach as a business plan.

2. Define success—be able to articulate what it is and how it can be measured

When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization’s reputation.

However, success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.

3. Leverage a methodology and make it part of the game plan

Think of the methodology as a game plan. There aren’t enough people, not enough time, and a finite amount of money. Attempting to do everything all at once is a fool’s errand. The moment you know what you’re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.

A popular methodology right now is the Zero Trust model, which has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?

Zero Trust

Reach the optimal state in your Zero Trust journey.

Learn more

4. Market the plan

One of the main hurdles I constantly witness is that the larger the organization, the more isolated the business units—especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few, there are application development, user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.

In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, start by building a plan and define your message. Repeat the message often enough so it’s recognized, and people are energized to help drive the mission forward.

5. Teamwork in the form of governance

Once “inter-IT” and business relationships are established, governance can commence—that ultimately means creating process and policy. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.

Take for example a mobile device policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.

Cybersecurity, privacy, compliance, and risk management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.

Stay tuned

Stay tuned for the next installment of my series, Changing the Monolith: People, Process, and Technology. In the meantime, check out the first two posts in the series, on people:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 3: What’s your process? appeared first on Microsoft Security.

Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution

January 29th, 2020 No comments

Technology continues to play a critical role in shaping the global risks landscape for individuals, governments, and businesses. According to the World Economic Forum’s Global Risks Report 2020, cyberattacks are ranked as the second risk of greatest concern for business globally over the next 10 years. Cyberattacks on critical infrastructure—rated the fifth top risk in 2020 by the expert network—have become the new normal across sectors such as energy, healthcare, and transportation. This confirms a pattern recorded in previous years, with cyber risks consolidating their position alongside environmental risks in the high-impact, high-likelihood quadrant of the report’s Global Risks Landscape.

The cyberattack surface (the totality of all information system and internet exposure) is growing at a rapid pace. In parallel, inherently borderless cybercrime is impacting victims around the globe, with the authority of law enforcement often constrained by jurisdiction and the limitations of legal processes serving to request information beyond national borders. Moreover, cybercrime-as-a-service is a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.

In this context, a cyber-risk assessment is crucial to any organization’s risk management strategy. A cyber-risk assessment provides an informed overview of an organization’s cybersecurity posture and provides data for cybersecurity-related decisions. A well-managed assessment process prevents costly wastes of time, effort, and resources and enables informed decision-making.

Many jurisdictional instruments, including the European Union General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 in the United Kingdom, require risk assessments to be conducted. Any organization with a digital footprint should have an understanding of their cyber preparedness to ensure that the leadership does not underestimate or overlook risks that could cause significant damage.

Cybersecurity-focused

Yet today, cybersecurity awareness is largely insufficient and there is no standard approach among investors and corporate leadership for evaluating the cybersecurity preparedness of their own, or their portfolio of companies. A cybersecurity-focused culture, based on cyber expertise and awareness, is vital to prioritizing cybersecurity in the investment process.

Including cybersecurity risk assessment in the investment and decision-making process is a rather new approach. The World Economic Forum along with leaders and cybersecurity experts in the investment industry have developed a due care standard to guide investor responsibility in terms of cybersecurity. Tailored to investors’ needs and principle-based, it aims to influence behavioral change rather than merely prescribe specific action to be taken.

According to a World Economic Forum report, adequate cybersecurity expertise is foundational and vital to exercising the cyber due care principles. Investors should ensure requisite cybersecurity expertise is available to them and their investment portfolio companies either internally or through external experts. An investor’s attention to cybersecurity should extend well beyond regulatory compliance and legal obligations and include regular briefings on evolving cyber risks.

Expertise should evolve to guarantee optimal efforts to stay abreast of cybersecurity developments. Overall, investors are urged to foster a cybersecurity awareness culture as most businesses, investment targets, and their key assets are either becoming digital or are already in the digital domain.

Principles to follow

Incorporate a cyber-risk tolerance—The investor incorporates cyber-risk tolerance into their portfolio risk methodology similar to other types of risks monitored, such as financial and management risks. This cyber-risk tolerance threshold indicates the investor’s risk appetite and serves as a reference when making investment decisions.

Conduct cyber due diligence—The investor conducts a business-relevant cybersecurity assessment of the target company in terms of people, processes and technology, as part of the due diligence evaluation and weighs the potential cyber risks against the valuation and strategic benefits of investment.

Determine appropriate incentive structure—In the early stage of investment negotiations, the investor clearly defines ongoing cybersecurity expectations, benchmarks, and incentives for portfolio companies within investment mandates and term sheets.

Secure integration and development—The investor develops and follows systematic action plans to securely integrate the investment target according to the nature of the investment. These action plans span the secure integration of people, processes, and technology, as well as define the support that the investor will offer to develop the target’s cybersecurity capabilities. The extent of integration may vary according to the type of investor (financial vs. strategic) and the motivation for the investment.

Regularly review and encourage collaboration—The investor reviews the cybersecurity capabilities of its portfolio companies on a regular basis. These reviews assess adherence to the cybersecurity requirements set out by the investor and serve as a basis for sharing cybersecurity challenges, best practices, and lessons learned across the investor’s portfolio.

Investing in innovation is one way to reduce the likelihood of unexpected disruption, identify “blue oceans” (markets associated with high potential profits), and contribute to achieving desired returns. Whereas entrepreneurs drive innovation and experimentation, investors play an important role in helping them to grow, optimize, and mature their businesses. Helping entrepreneurs to prioritize cybersecurity is one significant way in which investors can increase the likelihood of long-term success and a product’s resilience in the market, thereby strengthening the brand name and consumer trust.

When investing in a technology company, investors need to consider the degree of cyber-risk exposure to understand how to manage and mitigate it. Investors play a critical role in leading their investment portfolio companies towards better security consideration and implementation.

Cyber expertise comprises not only technical know-how but also cybersecurity awareness in governance and investment. The principles and the cybersecurity due diligence assessment framework are designed for investors who want to include cybersecurity among the criteria for their investment consideration and decision. One of the main barriers to prioritizing cybersecurity is the lack of cyber expertise in the market. Yet every investor who understands the importance of cybersecurity in our technological age can ask the right questions to assess and understand a target’s cybersecurity preparedness, thus play a significant role in securing our shared digital future.

The post Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution appeared first on Microsoft Security.

Guarding against supply chain attacks—Part 1: The big picture

October 16th, 2019 No comments

Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. Moreover, these vulnerabilities can be inserted into the end product via physical access as a physical component is being transported or delivered, during pre-production access in a factory or manufacturing facility, via a technical insertion point, or other means.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, Monster.com experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security.

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.

 

We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.

 

But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

Building on experience: a framework for cybersecurity policy

August 9th, 2018 No comments

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, Im excited today to announce the release of Microsofts new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should notand need notbe burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important umbrella document, providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologiesso many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much todays cybersecurity discourse. However, we haveand will always havemore work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. Im glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

Categories: Cybersecurity Policy Tags:

Artificial intelligence and cybersecurity: The future is here

November 14th, 2016 No comments

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.

 

Categories: Cybersecurity Policy Tags:

Cybersecurity and cyber-resilience – Equally important but different

November 3rd, 2016 No comments

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.

 

Categories: cybersecurity, Cybersecurity Policy Tags:

FedRAMP High: Trust is cloud security validated

The latest Government Office of Accountability report dealing with the security of high impact information technology (IT) systems continues to point out opportunities for improvement in cybersecurity across the US Federal Government. While improvements have been made, the persistence of the challenge is disquieting.  Particularly troubling is that many of the concerns result from long-standing and well known inefficiencies in the government’s current IT environment, such as low asset utilization, fragmentation, legacy systems, and the challenging procurement processes. Cloud computing can help address many of those, and at the same time improve government service delivery – at a lower cost – ultimately providing agencies with the ability to deliver secure, reliable, and innovative services quickly despite resource constraints.

When the Obama Administration issued its Cloud First Policy five years ago, with a clear aim of encouraging the Federal Government to harness the benefits of cloud computing, one question remained for many agencies: Given the level of security required, would my data be secure? The Cloud First policy accelerated the rate in which government could realize the value of cloud computing by – among other things – requiring government agencies to evaluate the security of cloud computing options before making new investments. This single action not only required government agencies to familiarize themselves with cloud computing during each new acquisition, but also incentivized vendors to drive further investments in security.

To streamline this process, the Federal Risk and Authorization Management Program or FedRAMP was developed. It represents a government-wide, standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP was designed with the objective of saving between 30-40 percent of government IT costs, in addition to reducing the amount of agency time and staff needed to conduct redundant security assessments. However, up until last month, Federal agencies could only migrate low and moderate impact workloads to the cloud – not mission critical, high impact systems – as no vendors have been certified to provide those services.

These high impact data systems tend to sit in agencies that deal with security and where information, if disclosed, modified or denied access could have severe and even catastrophic effects on organizational operations and assets. While high impact systems only constitute 20 percent of all federal systems, they represent nearly 50 percent of government spending dollars – much of it given the additional security concerns noted above. The finalization of the FedRAMP High Security Baseline, a draft set of security controls at the High/High/High categorization level for confidentiality, integrity, at the end of June is therefore even more significant. It not only signals an important milestone in cloud security, is estimated that it will drive significant cost savings from the U.S. government’s annual $80 billion IT budget.

Microsoft was selected as one of the vendors that took part in the FedRAMP High Pilot earlier this year. The pilot sought to deepen the understanding of the objectives and the process for both the government and Cloud Service Providers, increase the level of rigor, shorten timeframes, as well as broaden the scope of control applicability. The success of the pilot contributed significantly to the development and refinement of the FedRAMP High Security Baseline and we are happy to report that we successfully received a High Impact Provisional Authority to Operate (P-ATO) approval for the Azure Government environment.

In addition to our work on FedRAMP with the US government, we are engaged with governments and customers around the world to ensure that they can adopt cloud computing securely and effectively. As a result of our global engagements and reflecting different cultural and organizational experiences, Microsoft developed the Transforming Government: A cloud assurance program guide. It was designed to help governments as they develop and implement cloud assurance programs – reflecting best practices, but also lessons learnt from initiatives such as FedRAMP. We understand that the primary goal of any government cloud assurance program needs to be managing information security risks, while at the same time enabling that government to take advantage of the many benefits and opportunities of cloud services. Achieving that goal requires risk-based decision making at every step of a government’s process of developing and implementing a cloud assurance program. While developing such a process, represent a substantial foundational investment, experience shows that it pays significant dividends over time, as it enables governments to leverage secure cloud solutions to deliver and extend citizen services.

Angela McKay
Director of Cybersecurity Policy

Categories: cybersecurity, Cybersecurity Policy Tags:

Microsoft’s Perspective on the Benefits, Challenges, and Potential Roles for Government in Fostering the Advancement of the Internet of Things (IoT)

June 15th, 2016 No comments

Microsoft recently filed comments with the U.S. Department of Commerce and the National Telecommunications and Information Administration (NTIA) on the benefits, challenges, and potential roles for the government in fostering the advancement of IoT, which can be read here. In addition to commending NTIA for undertaking this timely public consultation and for providing comments received for public review, I wanted to summarize Microsoft’s policy perspectives and recommendations.

Microsoft’s comments encourage policymakers to more broadly support efforts that will advance consumer and enterprise trust in IoT technology and help IoT realize its full potential. The government should encourage initiatives that recognize and emphasize the following:

  • Best practices for IoT cybersecurity that are appropriately scoped to the roles of different actors in the IoT ecosystem.
  • Modernization of traditional privacy frameworks, such as the “notice and consent” framework to increase the focus on transparency, context, and consumer expectations for scenarios where notice and consent are impractical.
  • Support for industry-led efforts to develop open, voluntary, consensus-based, and globally-relevant standards that promote innovation and preserve interoperability, to ensure new IoT systems and legacy technology systems can work together.
  • International engagement that takes into account other countries’ IoT strategies and initiatives as well as international trade commitments.

To put these policy priorities into action, Microsoft offers three recommendations for the government:

  • Create an IoT interagency task force. This task force can coordinate with existing organizational bodies to foster balanced perspectives between security, economic benefits, and potential risks. Participants from across government agencies would set milestones for completion, particularly focusing on 1) direct the update of federal strategic documents to consider the security aspects of the explosive growth and reliance on IoT; 2) direct the update of existing awareness and training programs; 3) encourage and incentivize academia to develop curricula focused on IoT and security challenges; and 4) encourage engagement in appropriate international forums for standards and policy development.
  • Convene and facilitate a government and industry standing body. Through a public-private standing body, key stakeholders can coordinate, collaborate and leverage the various industry IoT consortia to develop, update, and maintain IoT deployment guidelines to manage cybersecurity implications and risks. This body would adopt an international perspective that takes into account the significant work on IoT-related standards outside of traditional channels in standards development organizations.
  • Review current research and development (R&D) investments and recommend future R&D funding for fundamental IoT security and cyber-physical security research. The Office of Science and Technology Policy should review R&D funding and investments, specifically for fundamental IoT and cyber-physical security research and help ensure the R&D projects are addressing evolving cybersecurity challenges.

Governments have an important role in ensuring that IoT innovations continue. Microsoft looks forward to continuing to work with NTIA to address the benefits and challenges of IoT in the future. For more details on Microsoft’s approach to IoT security, please download our recent white paper,  Securing Your Internet of Things from the Ground Up, and visit www.InternetofYourThings.com if you would like to learn more about Microsoft’s role in the IoT ecosystem.

Categories: Cybersecurity Policy Tags:

Survival of the most (cyber) resilient

June 6th, 2016 No comments

By 2045, more than 70% of the world’s population will live in urban areas, giving cities a level of power and importance unrivaled in all of human history. But its leaders must also face new challenges that once were just the domain of the nation state, including unemployment and gentrification, climate change, terrorism, and the impact of rapid digitization.

Because cities wish to thrive, rather than merely survive, many are turning to technology for help. “Smart cities” which make use of Internet of Things, big data and cloud computing, are an increasing reality. This can pave the way for more prosperous, sustainable and competitive urban communities, but it also brings its challenges. The more data available to help cities, the higher their potential exposure. The digital systems which underpin a city’s inner workings and service provision can be vulnerable. And the digitization of systems such as energy and transport networks increases potential risks to the most critical infrastructure.

In order to make the most out of the transformative potential of technology without comprising security, cities are becoming increasingly innovative in how they manage such risks. A new discipline, known as “cyber resilience”, is emerging, with organizations shifting from a prevention-first mentality, to focus instead on capabilities for readiness, response and reinvention.

Rotterdam, the Netherlands’ second-largest city, is a case in point for what successful reinvention looks like. “Rotterdammers”, as the city’s 630,000 residents are known, have faced more than a few challenges in their time: from the near-constant threat of flooding (now kept at bay by a complex system of dykes and levees), to the total destruction of the city center during World War II. But resilience is in Rotterdam’s blood – the municipal motto is “stronger through struggle” after all – and it has grown into a thriving economic and industrial hub.

In 2013, the city’s determination to prepare for the future, led it to be chosen as one of the Rockefeller Foundation’s inaugural 100 Resilient Cities. This initiative aims to help cities across the globe “become more resilient to the physical, social and economic challenges that are a growing part of the 21st century.” In practice, this means giving cities the tools, resources and networks they need to adequately prepare for, and reduce the impact of, one-off shocks such as natural disasters, or daily stresses which make the city a less pleasant place to live.

The ability to bounce back from failure is as critical in cyberspace as in any other domain – if not more. That is why Rotterdam earlier this month launched a resilience strategy which includes a specific focus on cyber – making it the first European city to ever do so.

As a key economic engine of the Netherlands and Europe, Rotterdam is a large industrial complex in a relatively small area, with large scale infrastructure and thousands of companies which are all increasingly more dependent on properly functioning ICT to sustain jobs and maintain growth.

As a formal partner of 100 Resilient Cities for 18 months, Microsoft has worked closely with Rotterdam on the creation of this strategy which is to create a thriving, prosperous and cyber-resilient port city where the opportunities of digitization can be leveraged with minimal risk, and where businesses can innovate and grow for generations to come.

The world will continue to urbanize and digitize at a dramatic pace. Cities that adapt and innovate in the face of these constant changes will reap significant benefits for their citizens, economies, and security. But such success will not be easy. It requires commitment from both the public and private sector to develop and implement long-term cyber resilience strategies. These plans must be living documents with broad support from residents. The Rotterdam strategy helps to show that difference between surviving and thriving in the face of 21st century challenges is cyber resilience.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cyber Resilience: rethinking risk management

May 9th, 2016 No comments

The rapid pace of technological evolution and dramatic increases in connectivity are sparking discussion about what systemic cyber risks what might look like and how best manage them. In late April, Microsoft partnered with the World Economic Forum Council on Risk and Resilience on a workshop addressing the topics of systemic cyber risk and possible approaches to avert the dangers it poses. The interactive workshop focused on the financial services, transportation and healthcare sectors – given their importance to national economies, national security, the well-being of citizens and the potential impact of any systemic disruption.  The event was the first step in developing a World Economic Forum report on the topic and examined the challenges of building resilience in today’s rapidly evolving technology and threat environments.

Diagnosing the problem

In order to continue to improve resilience to systemic cybersecurity risks, we have to develop a more thorough understanding of what systemic risk really means and the role it has in some of the most important sectors of the economy.  I was fortunate to moderate our initial panel discussion, that was dedicated entirely to exploring the definitions of systemic risk and possible approaches to increasing resilience of the online ecosystems in light of those.  Panelists examined key vulnerabilities, identified single points of failure, and sought to understand the potential systemic consequences inherent in today’s risk environment. Perhaps Phil Reitinger captured it best, that this might be one of the “you know it when you see it” categories. Ultimately, although systemic risk is inherently difficult to describe, there was widespread agreement that without a stronger definition, the term loses all meaning and importance. While a simple way to think about systemic risk is as a cyber risk that rises above the enterprise level, we have to go deeper.

One way to do this is through refining those key characteristics we can agree help define systemic risk, including critical functions, interconnectedness, and contagion. We first must align on what is meant by systemic risk and the threat at hand if we are work cooperatively on what investments will be needed by enterprise and infrastructures to ensure greater cyber resilience.

Building better cyber resilience

As we improve our understanding of systemic cyber risk, the next challenge is taking this knowledge to build better cyber resilience. While this is a complex and long-term challenge, the first step is understanding that there will be no simple technological fix. Solving this issue will require proactive efforts and the adaptability to quickly learn from mistakes.  Moreover, harmonization of approaches – across geographies and infrastructures – will be critical in increasing resilience. Those were the issues raised in the second panel moderated by my colleague, Angela McKay.

Here participants discussed two steps: incentivizing collaboration between those facing or defending against cyberattacks and improving metrics for cyber resilience. To make meaningful progress, partnerships between private and public sectors, including at state and local levels is essential. While those perpetrating cyberattacks frequently actively collaborate and have strong, shared incentives, that is not always the case with the defenders. The panel explored measures that could help entities of all types and sizes refine their enterprise risk management strategies and identify targeted areas for key investment. It was acknowledged that metrics that can succinctly and effectively evaluate organizations’ resiliency to systemic cyber risk will go a long way in helping industry leaders and policymakers develop more rigorous cybersecurity defenses.  The conversation ended with a debate on incentives, in particular around how cultural and organizational change – rather than just technological – can be driven and highlighted challenges related to human resources, cyber-insurance, as well as ratings.

The future of cyber resilience

We are just beginning of what should constitute effective resilience strategies. As we explored during the workshop, we have tremendous opportunity and responsibility to work together on this topic.  This is an issue that can’t be fixed just one company or government, but instead will require focused effort from all parties affected. The workshop was a tremendous opportunity to start this work – as it will take critical investment by enterprise and governments to begin to increase our collective cyber resilience.  Microsoft was pleased to work with the World Economic Forum Council to bring key experts together and hear their perspectives and to help champion these efforts moving forward.

Categories: cybersecurity, Cybersecurity Policy Tags:

Global cybersecurity policy: Finding a balance between security and competitiveness

May 2nd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations and the global cybersecurity market is forecast to be worth US$170 billion by 2020, growing in step with significant advancements in cloud computing, the Internet of Things (IoT), and other technologies that are changing the way we communicate and work. The IoT security market itself is expected to grow from US$6.89 billion in 2015 to US$29 billion in 2020. Other high growth areas include security analytics, mobile security and cloud security.

The same concerns are also driving government decision makers to develop responses that seek to ensure that the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security. These efforts are beginning to solidify into security requirements for a range of businesses, from information technology (IT) providers, critical infrastructures and users of cloud services.

United States: Securing the government

In United States the focus on cybersecurity has never been greater, in particular if we single out the work done at the federal government level after the breach at the Office of Personnel Management (OPM). In early 2016, President Obama announced the Cybersecurity Action Plan, which aims to raise the levels of cybersecurity across the nation, but particular its high-risk assets. With it, the President is driving a new policy and operational focus, for example by appointment of a Federal Chief Information Security Officer, and by requesting an additional US$3.1 billion from Congress for the “Information Technology Modernization Fund”.

In parallel, the White House continues to drive policy efforts that seek to enhance the levels of cybersecurity across the country. One of the focus areas continues to be increasing the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, both domestically and internationally. Another is the implementation of the Cybersecurity Act of 2015, which was signed into law in late December. The Act provides a paradigm for one of the essential element of cybersecurity: the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government.

Japan: Preparation for taking the world stage

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity. In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Furthermore, the government is preparing to revise its Cybersecurity Law, as well implement concrete action to protect its critical infrastructures, for example by examining structured information sharing.

China: Focusing on the rule of law

China has over the past two years proposed and passed a number of laws that touch on cybersecurity, including the National Security Law, the Anti-Terrorism Law, as well as the Amendment to its Criminal Code, which exposes the network service provides that fail to comply with certain cybersecurity obligations to criminal liability. The speed with which the laws are being adopted signals the importance the government places in this area.

The speed also led to concerns expressed by numerous multinational companies, as well as governments, who have been urging the Chinese government to reconsider some of the positions it has been taking. The draft Cybersecurity Law, which amongst other things includes provisions requiring companies to store data locally and to provide encryption keys, as well as incorporates an overarching structure for cybersecurity management in the country, was one such example. The latest step in the government push came last month, with the founding of China’s first national non-profit organization for cybersecurity, the Cybersecurity Association of China. It has 275 founding members, including major domestic Internet firms, cybersecurity companies, scientific research institutions.

Europe: Protecting critical infrastructures

After three years of intense negotiations, the European Union (EU) reached an agreement on the Network and Information Security (NIS) Directive this past December. While some of the details remain to be hammered out, the Directive focuses government efforts on creating cybersecurity capabilities and policies, through the obligation that each of the countries affected create Computer Security Incident Response Teams and national cybersecurity strategies.  In following a risk based approach it further concentrates government resources on protecting critical infrastructures. The question of how widely or narrowly the 28 EU Member States will interpret that definition will be revealed over the next two years.

The obligations that are being introduced are nevertheless important for a wide range of enterprises, which fall under that definition, including a broad number of digital services providers. While retained in the Directive, it recognizes the transnational nature of the online environment, as well as the need for greater harmonization of security requirements overall. An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

In the coming months, my team will use this blog to examine these and other policies around the word more closely. It is already clear that 2016 could be the year that shifts cybersecurity from a topic of conceptual debate to a more concrete set of practices, obligations and requirements, in particular for enterprises in the critical infrastructure sectors or those providing services to governments. Whether the different countries will be able to ensure that these policies are successful in increasing security for the broader ecosystem hinges on whether the requirements put in place will be complimentary, able to align to existing laws, as well as able to adapt to new technologies, such as IoT. Watch this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

A call to raise awareness and adoption of vulnerability disclosure and handling best practices

April 25th, 2016 No comments

Over the past few years, technology companies have increasingly moved toward partnering with security researchers to better protect their products, services, and customers. Recognizing that vulnerability research is a valuable part of securing the online environment, they have matured programs to work together with researchers in receiving, triaging, and responding to reports.

Microsoft’s focus on coordinating with researchers has developed over time. As we launched our first BlueHat Briefing in 2005, there was a significant level of distrust on both sides, and we listened to the security community as we evolved our approach. In 2011, we announced a new Coordinated Vulnerability Disclosure (CVD) policy and set of practices, aiming to be transparent and encouraging vulnerability finders to work with us. Since then, we have expanded our BlueHat prizes and bug bounty programs, further incentivizing researchers to work with us as we continue to strengthen our platforms.

Many companies are increasingly becoming software companies. In cars, elevators, wearable devices, and many other products and services, the practice of incorporating software components is exponentially growing. All of these devices and programs can suffer from vulnerabilities that are exploited by criminals. Moreover, unfortunately, for various reasons, including lack of resources, expertise, or understanding of vulnerability research, not all of these companies partner with security researchers that find and report potential vulnerabilities.

To address this gap and promote greater collaboration, Microsoft is working with the U.S. Department of Commerce National Telecommunications & Information Administration (NTIA) and numerous other stakeholders, including security researchers, technology providers, and civil society. In particular, we are co-chairing an NTIA working group that’s focused on increasing awareness and adoption of vulnerability disclosure and handling best practices. The group aims to highlight the overlapping interests of technology providers and security researchers and to develop resources that can support new partners in coordination and ecosystem security.

To guide our working group toward developing the most responsive and helpful resources, we’re seeking information about how vulnerability disclosure and handling is currently being approached. While we already have an appreciation of where concerns and obstacles might lie, we want to ensure that we are addressing the real needs and gaps that are being experienced in the ecosystem. To this end, we have developed short surveys, targeting both security researchers and technology providers and operators, and we encourage you to share and respond to them. Responses will be anonymized, and the surveys will close in mid-May.

The security researcher survey is available here:

https://www.surveymonkey.com/r/securityresearcher

The technology provider and operator survey is available here:

https://www.surveymonkey.com/r/techprovider

Ultimately, all stakeholders within and impacted by the vulnerability information sharing ecosystem—including security researchers, technology providers, technology operators, non-profit coordinators, bug bounty providers, governments, and users—have responsibilities to keep users safe. With your participation in this NTIA working group survey and broader engagement on this issue, we can learn more about how the ecosystem is maturing and what more we can do to support its advancement.

Categories: cybersecurity, Cybersecurity Policy Tags:

Working to increase the cyber resilience of cities around the globe

February 11th, 2016 No comments

A year ago, Microsoft and the Rockefeller Foundation announced that we will be partnering on their 100 Resilient Cities challenge, in an effort to help cities address emerging cyber resilience needs. Our particular objective for joining the effort has been to help cities improve their digital resilience, and ensure that they are better able to withstand and recover from the shocks and stresses that are a growing part of life in the 21st century.

Not a day goes by that we do not read about an organization being targeted by a cyberattack. Any organization or individual, of any size or global standing—is susceptible to a cyberattack. While businesses, governments and individuals are rushing to take advantage of the rapidly developing technologies to deliver a wide array of social and economic benefits, digitalization itself introduces a new range of risks. As a result, we have seen cybersecurity grow beyond being just the responsibility of an IT department to being acknowledged as a company or government-wide issue that carries far reaching consequences. Moreover, a new discipline – cyber resilience – has begun to emerge, as organizations slowly begin to make a shift from prevention to resilience, focusing on continuous assessment, preparation for, and response to cyber incidents. The realization that those who survive are not necessarily the strongest or the smartest, but those that can best adapt to new circumstances applies equally well in cyberspace.

While there is no internationally accepted definition of “cyber resilience” there is a growing consensus that cyber resilience can be defined as the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks. Resilient cyber systems also exhibit common resilience attributes including (1) aware, (2) diverse, (3) integrated, (4) self-regulating, and (5) adaptive. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or in this case a city – can purchase from a vendor. It is built through leadership, teamwork, risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city.

Since the inception of our partnership, my team has worked with individual cities to help them go beyond focusing on developing “safe to fail” approaches, to understanding what are the distributed set of capabilities and capacities that they require to be truly resilient – almost impossible too measure or identify form a strict quantitative perspective.

Through this ongoing work, there is a great opportunity to work with cities across the globe and change the thinking about cyber resilience to be about more than graceful degradation and instead encompass the ability to withstand diminished capacity/capability and to reinvent in the face of prolonged stressors or acute shocks.

Categories: cybersecurity, Cybersecurity Policy Tags: