Author: blogmirnet

Microsoft Blog Post

It’s that time of year again. World Password Day is May 4, 2023.¹ There’s a reason it’s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like “123456” and “qwerty.”² With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.

In 2022, Microsoft tracked 1,287 password attacks every second (more than 111 million per day).³ Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.⁴ And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.⁵

For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).

Go passwordless for simplicity, security, and savings

If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”

Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.

Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.

In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.

That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”⁶

Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.⁷

Multifactor authentication can’t do it all

A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.⁸ That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.⁹ That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.¹⁰ Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:

1. The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
2. The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
3. If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
4. The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.

One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.

All identity protection rests on Zero Trust

Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:

• Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
• Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
• Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.

And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.

May the Fourth be with you all!

Security year round

At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹World Password Day, National Day Calendar.

²Most common passwords: latest 2023 statistics, Paulius Masiliauskas. April 20, 2023.

³Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

⁴Over 255m phishing attacks in 2022 so far, Security Magazine. October 26, 2022.

⁵The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

⁶A passwordless enterprise journey, Accenture.

⁷The Total Economic Impact™ of Microsoft Entra, a commissioned study conducted by Forrester Consulting. March 2023.

⁸New Ponemon Institute Study Reveals Average Phishing Costs Soar to $14.8M Annually, Nearly Quadrupling Since 2015, GlobeNewswire. August 17, 2021.

⁹17 Essential multi-factor authentication (mfa) statistics [2023], Jack Flynn. February 6, 2023.

¹⁰How effective is multifactor authentication at deterring cyberattacks? Lucas Meyer, et al. May 1, 2023.

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Thursday, May 25 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Friday, May 26 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

We invite you to come explore deidentification technologies with us by participating in the Collaborative Research Cycle. This technology challenge seeks to advance our understanding of synthetic data generation and other de-identification technologies. We present the NIST Diverse Community Excerpts, rich demographic data from the American Community Survey, as benchmark data.  We invite you to submit deidentified instances of these data using any technique. In return, you will receive detailed utility and privacy reports. 

Beginning May 15, we plan to make periodic releases of all of the submitted data alongside detailed method details and evaluation results in a machine-readable ‘research acceleration bundle,’ that we anticipate will become an invaluable resource for comparing and exploring deidentification techniques. 

Please visit the project’s website to see the data, the metrology package we have to analyze the de-identified data, and learn more about the program. 

Any and all techniques are welcome (even poor performing ones!). We already have a library of techniques, with some open source tools, that you’re welcome to try out.

Submit data by May 9, 2023 to have your data included in the first release of our acceleration bundle. We plan to drop additional releases during the summer. Send a blank email to [email protected] to Join our listserv for updates, and invitations to our biweekly office hour and seminars. 

Webinar date: Tuesday, May 9, 2023 9:00 AM Pacific Time / 12:00 PM Eastern Time Hi, Choosing the best cloud migration approach is essential to effectively migrating mission-critical apps and data. Infrastructure as a service (IaaS) and platform as a service (PaaS) are both great options, but which one is right for your organization? Get your questions answered by our team of SQL experts. Register now to join the conversation during this live digital event, which will cover: Solution assessments SQL IaaS versus SQL PaaS solutions Data and application migration Planning and migration

Ask the Experts: Migrate to IaaS or PaaS? Modernize your mission-critical apps on the cloud

Register Now >

Blog post from Microsoft.

To get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen.  
 
This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions.  

Microsoft Security solution feature guide: Microsoft Defender for Office 365  
Defender for Office 365 provides integrated threat protection for your email and collaboration tools. With this guide, you can learn about and enable: 

1. Incident and alert management 
2. Attack simulations and training campaigns 
3. Automated investigation and response triggers 
4. Scanning with Safe Links 
5. Attachment checks with Safe Attachments 

Microsoft Security solution feature guide: Microsoft Defender for Endpoint 
Defender for Endpoint helps you rapidly stop attacks, scale security resources, and evolve defenses across your operating systems and network devices. The guide covers the following features and links to instructions so you can:  

1. Define manual response actions 
2. Explore automated investigations 
3. Enable endpoint reporting and policy settings 
4. Engage in advanced threat hunting 
5. Choose either active or passive mode for antivirus 

Check out the Microsoft Defender for Office 365 and Defender for Endpoint solution feature guides to learn how you can get more value from Microsoft Security and take your first steps toward enabling more features today.  

The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.

As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List. To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month

NIST to Revise SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques

In May 2021, NIST’s Crypto Publication Review Board initiated a review process for the following two publications, and received public comments:

• NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques (December 2001)
• NIST SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode (October 2010)

In March 2022, the board proposed revising SP 800-38A and converting the SP 800-38A Addendum by merging it into the revised SP 800-38A, and received additional comments on that proposed decision.

NIST has decided to revise SP 800-38A and to convert the SP 800-38A Addendum. See the full announcement for more details, links to comments received, and ways to monitor future developments such as the Third NIST Workshop on Block Cipher Modes of Operation 2023, scheduled for October 3-4, 2023.

Read More

One Week Left to Register for the NCCoE Supply Chain Assurance Community of Interest Update

Date/Time: Wednesday, May 3, 2023 | 2:00-3:00 PM ET

Next week, the National Cybersecurity Center of Excellence (NCCoE) Supply Chain Assurance team will host a webinar update to discuss the finalized NIST Special Publication 1800-34, Validating the Integrity of Computing Devices.

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This practice guide demonstrates how organizations can verify that the internal components of the computing devices they acquire are genuine and have not been unexpectedly altered or tampered with.

Join the NCCoE Supply Chain Assurance team to discuss the following topics:

• Project Overview
• Lessons Learned/Takeaways
• NCCoE DevSecOps Presentation
• Next Steps/Q&A

If you have any questions that you would like to submit in advance for the Q&A session, please send them via email to our team at [email protected].

Event Page

Here is a post from Microsoft

Fifty percent of Microsoft cybersecurity recovery engagements relate to ransomware,¹ and 61 percent of all breaches involve credentials.² In this second report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a push-bombing request that targeted a legitimate user, allowing an attacker to authenticate and register their own mobile device.

Credential-based attacks begin with the process of stealing or obtaining credentials illegitimately. Often attackers target individuals who they believe have the credentials they need, then conduct social and dark web research on them. Phishing emails and websites created to target corporate targets only need to succeed once to gain credentials that can be sold to and shared with other bad actors.

Push-bombing is when an attacker uses a bot or script to trigger multiple access attempts with stolen or leaked credentials. The attempts trigger a rush of push notifications to the target user’s device, which should be denied. But multiple attempts can confuse a target and cause them to mistakenly allow authentication. Other times, multifactor authentication fatigue can weigh on the target, causing them to believe the access attempts are legitimate. Just one mistaken “allow” is all it takes for an attacker to gain access to an organization’s applications, networks, or files.

On average, people receive between 60 and 80 push notifications each day, with some of us viewing more than 200.³ The time it takes to swipe, tap, flag, click, save, and close every ding, buzz, pop-up, text, and tab takes a toll. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.⁴ This is what attackers count on. If an attacker gains the credentials to operate like a registered, legitimate user, identifying the intrusion and tracing their possible paths of destruction becomes paramount.

Late last year, a large enterprise customer asked Microsoft Incident Response to investigate an incursion into their on-premises Active Directory environment. Due to the risk of ongoing threats and the need for continued vigilance, the organization and attacker will be kept anonymous for this incident, and we will refer to it as “the inCREDible attack.” This credential-based incident highlights the critical need for establishing healthy habits in our security maintenance processes to combat the regular, repeated, and overwhelming credential attacks faced by today’s organizations.

In this report, we examine the factors contributing to the threat actor’s initial incursion and explore what could have happened without prompt, tactical mitigation efforts. Then we detail the required work streams, recommended timing, and activities involved with regaining control and establishing a plan going forward. We’ll also explore four core steps customers can take to “eat their vegetables” and establish healthy habits that help minimize the risk of attack. And then we share five elements of a defense-in-depth approach that can help businesses maintain a robust defense against ransomware attacks.

Many attacks can be prevented—or at least made more difficult—through the implementation and maintenance of basic security controls. Organizations that “eat their vegetables” can strengthen their cybersecurity defenses and better protect against attacks. That means establishing a solid inventory of all technology assets, continually patching operating systems and software, and implementing comprehensive centralized log collection—all while following a well-defined retention policy. Read the report to go deeper into the details of the push-bombing attack, including the response activity, and lessons that other organizations can learn from this inCREDible case.

What is the Cyberattack Series?

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened
• How the breach was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar attacks

Read the first blog in the Cyberattack Series, Solving one of NOBELIUM’s most novel attacks.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²2022 Data Breach Investigation Report, Verizon. 2022.

³Batching smartphone notifications can improve well-being, Nicholas Fitz, et al. December 2019.

⁴Phone Notifications are Messing with your Brain, Molly Glick. April 29, 2022.

WWT isn’t a physical telescope — it’s a suite of free and open source software and data sets that combine to create stunning scientific visualizations and stories. While WWT started out as a standalone Windows application, it’s evolved into a powerful astronomy visualization toolkit that you can use on the desktop, in the browser, and from Python. To learn more, visit the WWT homepage.

An “edition” is a coordinated release of the many software and data components that comprise the WWT ecosystem. This edition homepage covers:

• What’s New
• See WWT 2022 In Action
• Get Started with WWT 2022
• Release Notes
• Donate to WWT
• Additional Resources