Kevin Beaumont
Absolutely blistering independent review into Microsoft 365 breach early last year is due this week from Cyber Safety Review Board, highlights huge problems with Microsoft’s security.
I did not participate.
Contains something I didn’t know - last month, Microsoft quietly corrected a blog to say they never found the crash dump with the certificate, so do not know how China got it. They did not store it in a HSM.
References earlier breach they hadn’t disclosed.
Kevin Beaumont
Report into MS breach is out: https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf
I had a tweet in 2021 saying MSTIC should not use the Nation State Notification process to hide breaches from the public.
That was a reference to the Affirmed Networks breach - aka Azure for Operators - listed in this report. They hid it.
The website for Azure for Operators at the time had Satya’s face on it.. that breach, which they refused to share details about, apparently led to this one.
Kevin Beaumont
I’ll save full thoughts for later as I need to digest the report, but I will say to Microsoft’s credit, I’ve heard they got the memo on security and plan a range of things including org and governance changes.
IMHO MS need a properly centralised security op model, like you see at.. well.. every other org. And then robust control implementation, lead by risk, blanketed everywhere.
Security should be treated like safety - if you endanger customers, you on the naughty step.
Kevin Beaumont
@SteveSyfuhs @adrianco for the record I agree here. At Charlie’s level, he needs to look at strategy - which takes years to turn around. Rightly so. All the signs are he’s doing a great job I think, because wheels are starting to turn.
Also some cultural change, eg ‘bring out your dead… before attackers do’. There’s lots of very smart people at MS who know about all these problems individually, but organisationally they haven’t been incentivised to say it and fix it IMHO.
Steve Syfuhs
@adrianco @GossiTheDog to poorly mix analogies, one does not simply turn a $3T cargo ship on a dime. We *do* have incredibly strong security programs throughout the company, but clearly there are gaps that Kev is rightfully skewering us on. The trick is not to fill in those gaps bit by bit, but to build out the program so future gaps fill themselves. Takes time. Lots of it isn't publicly visible.
Adrian Cockcroft
@GossiTheDog I thought that when Charlie Bell went to Microsoft he was going to try to fix their security architecture amongst other things… EVP Security? He ran a tight ship at AWS. Wonder what happened? https://www.linkedin.com/in/charlie--bell
Kevin Beaumont
Digging through my old tweets - this one was after finding out Affirmed Networks aka Azure for Operators had been breached in 2022 by STORM-0558 (China).
You will not know about the breach, as it isn't recorded anywhere online other than this tweet. From what I can gather they also failed to tell the US Government about it.
Kevin Beaumont
Mindblowing to me that Microsoft had to be repeatedly reminded by essentially the US Government for 6 months to update their own blog to include important information about a security breach... and then nobody even realised they had quietly updated the blog until CSRB pointed it out. Did nobody think through the optics?
Kevin Beaumont
Also:
Steve Syfuhs
@adrianco @GossiTheDog there's some cherrypicking in that statement. HSMs are already used throughout the environments in most places requiring key storage. Clearly one was not used here and that's a big problem.
Adrian Cockcroft
@GossiTheDog @SteveSyfuhs The report clearly says that AWS, GCP and Oracle cloud all have far better practices like automated key exchange and reduced key scope and use of HSMs, and I know that AWS has had these for many years. I’d expect the competition to use this to win a bunch of cloud deals from Azure. If I was a CIO I’d be trying to move email (the most locked in cloud service) from Microsoft to Google ASAP.
Kevin Beaumont
The German security services are suing Microsoft over failure to disclose information about one of the Microsoft 365 security breaches: https://www.heise.de/en/news/BSI-verklagt-Microsoft-auf-Herausgabe-von-Informationen-zu-Security-Desaster-9722507.html
I doubt they will get very far as Microsoft takes steps to avoid legal disclosure in security incidents.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.