, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability.
This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.
To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections. Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update.
We will be enforcing the protections in three phases to reduce customer and industry partner impact with existing Secure Boot while applying this change.
May 9, 2023: The initial fix for CVE-2023-24932 is released. In this release, this fix requires the May 9, 2023, Windows Security Update and additional customer action to fully implement the protections.
July 11, 2023: A second release will provide additional update options to simplify the deployment of the protections.
First quarter 2024: This final release will enable the fix for CVE-2023-24932 by default and enforce bootmanager revocations on all Windows devices.
If these timelines change for any reason, this blog will be updated.
Why is Microsoft taking a phased approach to address this vulnerability?
The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up. The technical documentation referenced below provides implementation and testing guidance to limit potential impact at this time, and future release plans will allow Microsoft to simplify deployment without disruption.
How do customers know if they are using Secure Boot?
From a Windows command prompt, enter msinfo32. If it shows Secure Boot State is ON, the system.
Note: The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required. We recommend that customers use Secure Boot to protect systems from tampering and bootkit class exploits and to keep their systems up to date with the latest Windows Updates. For more information about the benefits of Secure Boot, see: Secure Boot and Trusted Boot.
Acknowledgement
We appreciate the opportunity to investigate the findings reported by Tomer Sne-or with SentinelOne and Martin Smolár from ESET which helped us harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
NIST Revises SP 800-171 Guidelines for Protecting Sensitive Information The National Institute of Standards and Technology (NIST) has updated its draft guidelines for protecting sensitive unclassified information, in an effort to help federal agencies and government contractors more consistently implement cybersecurity requirements. The revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3), will be of particular interest to the many thousands of businesses that contract with the federal government. Federal rules that govern the protection of controlled unclassified information (CUI), which includes such sensitive data as health information, critical energy infrastructure information and intellectual property, reference the SP 800-171 security requirements. Systems that store CUI often support government programs containing critical assets, such as design specifications for weapons systems, communications systems and space systems. Read More
The updates in this draft publication have been guided and informed by the public comments received and NIST’s responsibility to meet the requirements of the Federal Information Security Modernization Act, Executive Order (EO) 13556, the CUI federal regulation, and Office of Management and Budget (OMB) Circular A-130. Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.
In addition to the draft publication, NIST has issued an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay. These supporting materials are available on the publication details page.
NIST will also host a webinar on June 6, 2023, to provide an overview of the significant changes made to NIST SP 800-171, Revision 3. Registration information will be announced separately through a GovDelivery announcement and on the Protecting CUI project site.
Submit Your Comments
The public comment period is open through July 14, 2023. See the publication details for a copy of the draft and instructions for submitting comments. Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Please direct questions and comments to [email protected].
During this one hour webinar, the team will give an overview of their newest Cybersecurity White Paper, which outlines a six-step approach that manufacturers can follow to implement security segmentation and mitigate cyber vulnerabilities in their manufacturing environments.
In addition, the team will discuss the progress on the Respond and Recover project, including a discussion of the planned scenarios. We look forward to feedback from the COI to make sure the needs of manufacturers are covered in these projects.
Event Agenda:
Discussion: Security Segmentation in a Small Manufacturing Environment
Discussion: Responding to and Recovering from a Cyber Attack
Audience Q&A / Closing
If you have any questions, please reach out to the NCCoE Manufacturing team at [email protected].
Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.
This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.
Submit Your Comments
The public comment period is open now through June 20, 2023. View the project page for draft copies and instructions for submitting comments.
Contribute
If you have expertise in IoT and/or network security and would like to help shape this project, consider joining the IoT Onboarding Community of Interest. Contact the project team at [email protected] declaring your interest.
It’s that time of year again. World Password Day is May 4, 2023.1 There’s a reason it’s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like “123456” and “qwerty.”2 With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.
In 2022, Microsoft tracked 1,287password attacks every second(more than 111 million per day).3 Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.4 And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.5
For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).
Go passwordless for simplicity, security, and savings
If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”
Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.
Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.
In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.
That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”6
Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.7
Multifactor authentication can’t do it all
A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.8 That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.9 That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.10 Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:
The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.
One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.
All identity protection rests on Zero Trust
Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:
Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.
And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.
May the Fourth be with you all!
Security year round
At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Thursday, May 25 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Friday, May 26 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
We invite you to come explore deidentification technologies with us by participating in the Collaborative Research Cycle. This technology challenge seeks to advance our understanding of synthetic data generation and other de-identification technologies. We present the NIST Diverse Community Excerpts, rich demographic data from the American Community Survey, as benchmark data. We invite you to submit deidentified instances of these data using any technique. In return, you will receive detailed utility and privacy reports.
Beginning May 15, we plan to make periodic releases of all of the submitted data alongside detailed method details and evaluation results in a machine-readable ‘research acceleration bundle,’ that we anticipate will become an invaluable resource for comparing and exploring deidentification techniques.
Please visit the project’s website to see the data, the metrology package we have to analyze the de-identified data, and learn more about the program.
Any and all techniques are welcome (even poor performing ones!). We already have a library of techniques, with some open source tools, that you’re welcome to try out.
Submit data by May 9, 2023 to have your data included in the first release of our acceleration bundle. We plan to drop additional releases during the summer. Send a blank email to [email protected] to Join our listserv for updates, and invitations to our biweekly office hour and seminars.
Webinar date: Tuesday, May 9, 2023 9:00 AM Pacific Time / 12:00 PM Eastern Time Hi, Choosing the best cloud migration approach is essential to effectively migrating mission-critical apps and data. Infrastructure as a service (IaaS) and platform as a service (PaaS) are both great options, but which one is right for your organization? Get your questions answered by our team of SQL experts. Register now to join the conversation during this live digital event, which will cover: Solution assessments SQL IaaS versus SQL PaaS solutions Data and application migration Planning and migration
Ask the Experts: Migrate to IaaS or PaaS? Modernize your mission-critical apps on the cloud
To get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen.
This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions.
Microsoft Security solution feature guide: Microsoft Defender for Office 365 Defender for Office 365 provides integrated threat protection for your email and collaboration tools. With this guide, you can learn about and enable:
Incident and alert management
Attack simulations and training campaigns
Automated investigation and response triggers
Scanning with Safe Links
Attachment checks with Safe Attachments
Microsoft Security solution feature guide: Microsoft Defender for Endpoint Defender for Endpoint helps you rapidly stop attacks, scale security resources, and evolve defenses across your operating systems and network devices. The guide covers the following features and links to instructions so you can:
Define manual response actions
Explore automated investigations
Enable endpoint reporting and policy settings
Engage in advanced threat hunting
Choose either active or passive mode for antivirus
Check out the Microsoft Defender for Office 365 and Defender for Endpoint solution feature guides to learn how you can get more value from Microsoft Security and take your first steps toward enabling more features today.
