Cybersecurity: a question of trust

This post is authored by Robert Hayes, Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group. With the scale, scope, and complexity of cyber-attacks increasing by the week, cybersecurity is increasingly being seen as a primary issue for CEOs & Boards. Advice is not hard to find, and there are a multitude of information sources and standards; the in-house CIO will have a view, and of course there are … Read more »

Top Five Security Threats Facing Your Business and How to Respond

This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major … Read more »

Attackers using Trojans more than other malware categories

Global cyber threat patterns are a constantly moving target. But there are ways organizations can stay ahead of threats. Beginning in 2006, Microsoft took on systematic study of the ever-shifting security landscape, and we share our latest findings twice each year in our Security Intelligence Report (SIR). While cyber threats grow more sophisticated, our goal is simple: to help customers understand the many different types of factors that can influence … Read more »

Understanding the geography of malware

Threat patterns are constantly shifting, and our latest security intelligence report zeroes in on some of the world’s malware hot spots. For more than 10 years, Microsoft has carefully studied the evolving cyber threat landscape and shared findings with the wider security community.  We base our analysis on one of the most complete security data sets in the world, which includes data gathered from more than 600 million computers worldwide. … Read more »

Lessons from the NIST Cybersecurity Framework

This post was authored by Angela Mckay, Director of Cybersecurity Policy It has been more two years since the National Institute of Standards & Technology (NIST) published its Cybersecurity Framework and there has been a lively debate ever since on how the Framework should evolve and be adapted by different organizations. Indeed, since then the Framework has been used by a diverse range of companies, including many critical infrastructures, by … Read more »

Keeping Adobe Flash Player

Years ago, Java exploits were a primary attack vector for many attackers looking to infect systems, but more recently, Adobe Flash Player took that mantle. After accounting for almost half of object detections during some quarters in 2014, Java applets on malicious pages decreased to negligible levels by the end of 2015, owing to a number of changes that have been made to both Java and Internet Explorer over the … Read more »

Too few women in cybersecurity: a gap in our protections that must be addressed

This post was authored by Angela Mckay, Director of Cybersecurity Policy I started working in the cybersecurity space in almost 15 years ago, first as an engineer for BellSouth Telecommunications and then supporting the Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications in several key roles at Booz Allen Hamilton, before joining Microsoft in 2008. In those years I learned that in at least one respect I was … Read more »

Modern browsers are closing the door on Java exploits, but some threats remain

Was 2015 the year the industry finally eradicated Java exploitation? Well, not quite, but the good news is we’re getting there. It should be no surprise that encounters with Java exploits continued to decrease significantly in the second half of 2015 — All of the most commonly encountered exploits target vulnerabilities that were addressed with security updates years ago. While Java was once the vehicle of choice for attackers, modern … Read more »

Hacks for sale: Exploit kits provide easy avenue for unskilled attackers

One of the most common cyber-attack vehicles we’ve seen over the years involves so-called “exploit kits.” These are collections of exploits bundled together and sold as commercial software or as a service. A typical kit includes a collection of web pages with exploits for several vulnerabilities in popular web browsers, browser add-ons, or other types of software. When an attacker installs the kit on a web server, visitors to the … Read more »

Keep Microsoft software up to date — and everything else too

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has … Read more »