Microsoft Secure Blog In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance Fri, 23 Jun 2017 22:26:27 +0000 en-US hourly 1 Tips for securing your identity against cybersecurity threats Wed, 21 Jun 2017 16:00:45 +0000 Read more »]]> This post is authored by Simon Pope, Principal Security Group Manager, Microsoft Security Response Center.

Introducing new video on best practices from the Microsoft Cyber Defense Operations Center

Ask any CISO or cybersecurity professional about their greatest security challenge, and it’s a good chance the answer will be “the actions of our people.”

While virtually all employees, contractors, and partners have the best of intentions, the fact is that protecting their online credentials, identifying and avoiding phishing scams, and evading cybercriminals is getting more difficult each day. More of our time each day is spent online, and as more financial transactions and social activities are conducted online, adversaries are becoming ever-more sophisticated in their cyberattacks.

Microsoft faces these same threats, and we have made deep investments in training our people to be more aware and diligent in the face of such dangers. Our cybersecurity success depends on our customers’ trust in our products and services, and their confidence that they can be safe on the internet. To help keep our customers and the global online community safe, we want to share some of our Cyber Defense Operations Center’s best practices for Securing your identity against cybersecurity threats in this video.

In this video, we discuss some best practices around securing your identity, such as avoiding social engineering scams that trick people into giving up their most sensitive secrets, recognizing phishing emails that falsely represent legitimate communications, and how to spot false impersonations of your trusted colleagues or friends. We also discuss some of the types of information you don’t want to share broadly (i.e. credentials, financial information and passwords), and tips for protecting your sensitive data.

Some cybersecurity tips that we discuss include:

  • Be vigilant against phishing emails
  • Be cautious when sharing sensitive information
  • Don’t automatically trust emails from people you know, it may not be from them
  • Keep your software up-to-date

Please take a few minutes to watch the video and share it with your colleagues, friends and family. We all need to be diligent in the face of this growing and ever-more sophisticated threat. And check back next week for our second video on Protecting your devices from cybersecurity threats, and in two weeks, we will share more on Protecting your information and data from cybersecurity threats on the Microsoft Secure blog.

Additional resources:

TLS 1.2 support at Microsoft Tue, 20 Jun 2017 16:00:46 +0000 This post is authored by Andrew Marshall, Principal Security Program Manager, Trustworthy Computing Security.

In support of our commitment to use best-in-class encryption, Microsoft’s engineering teams are continually upgrading our cryptographic infrastructure. A current area of focus for us is support for TLS 1.2, this involves not only removing the technical hurdles to deprecating older security protocols, but also minimizing the customer impact of these changes. To share our recent experiences in engaging with this work we are today announcing the publication of the “Solving the TLS 1.0 Problem” whitepaper to aid customers in removing dependencies on TLS 1.0/1.1. Microsoft is also working on new functionality to help you assess the impact to your own customers when making these changes.

What can I do today?

Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
  • Understanding which clients may be broken by disabling TLS 1.0/1.1.

Coming soon

To help customers deploy the latest security protocols, we are announcing today that Microsoft will provide support for TLS 1.2 in Windows Server 2008 later this summer.

In conclusion

Learn more about removing dependencies on TLS 1.0/1.1 with this helpful resource:
Solving the TLS 1.0 Problemwhitepaper.

Stay tuned for upcoming feature announcements in support of this work.

Cybercrime and freedom of speech – A counterproductive entanglement Wed, 14 Jun 2017 16:00:56 +0000 Read more »]]> This post is authored by Gene Burrus, Assistant General Counsel.

As cybercrime becomes ever more pervasive, the need for states to devote law enforcement resources to battling the problem is apparent. However, states should beware using cybercrime legislation and enforcement resources as a vehicle for restricting speech or controlling content. Doing so risks complicating essential international cooperation and will risk de-legitimizing cybercrime legislation and enforcement. With the growing need for enforcement to thwart cybercriminals, without which the economic and social opportunities of the Internet may well flounder, using “cybercrime” as a label for attacking speech and controlling content may only serve to dilute support, divert resources, and make international cooperation more difficult.

At present over 95 countries either have or are working on cybercrime legislation. This is a good thing, as the more states that have cybercrime laws, especially laws that are largely harmonized to better enable international cooperation, the better for everyone (except the criminals). Cybercrime thrives across borders and between jurisdictions, relying on the internet’s global reach and anonymity, but if cybercriminals are based in a country without adequate cybercrime laws, it becomes even harder to bring them to justice. But defining cybercrime properly is important.

Cybercrime is a word we have all encountered more of in recent years. It tends, rightly so, to bring to mind “hackers”, infiltrating computer systems and disrupting them or stealing from them. However , most cybercrime statutes are actually broader than that. They also cover a whole slew of criminal activity mediated by information communication technology (ICT). They deal with the theft of personal information, from credit card details to social security numbers, which can be used for fraud. It includes acts against property, albeit virtual property, from simple vandalism to sophisticated ransomware. (If “virtual property” sounds too abstract to be a concern, bear in mind that this is the form in which many of our most valuable ideas, from patented designs and trade secrets to copyrighted creative material, are now to be found.) It will increasingly bleed into the real world too, thanks to devices connected to the Internet (will cybercriminals soon be stealing self-drive cars through the Internet of Things?) and due to attacks on critical infrastructures such as power grids (which will also affect issues of national security).

This broad swathe of cybercrime is widely accepted to be “a bad thing” by most governments and on that basis, cooperation among and between governments in pursuing cybercriminals is possible.

However, many countries’ cybercrime legislation also categorizes publishing or transmission of illegal content in a particular country via computer networks or the internet as “cybercrime”. And on this, countries are not in wide agreement. When state’s laws criminalize content that other countries don’t recognize as criminal, and then devote cybercrime enforcement resources to chasing this kind of “crime” rather than what people generally think of as cybercrime, it complicates or prevents international cooperation, discredits cybercrime legislation and enforcement efforts, and diverts resources from solving the serious problem of cybercrime. While there is certainly content that is universally reviled, i.e. child pornography, there are many disagreements about the creation and dissemination of other content, e.g. political materials or art work. For some states, free speech is an exceptionally important principle. For others, the control of offensive or dangerous content is essential. Achieving agreement on how to approach these differences is, frankly, going to be a challenge. Once again the Budapest Convention provides a salient example. In 2006, the Convention was added to by a Protocol that criminalized acts spreading racist and xenophobic content. Even some states that signed up to and ratified the original Convention have proved reluctant to add themselves to the Protocol. This is almost certainly not because of they approve of racist or xenophobic content, it’s simply a complicated issue in the context of their own laws or their perspectives on free speech or legal sovereignty.

If these kinds of disagreements are expanded across other types of content and then brought into the heart of global cooperation against cybercrime, the whole process runs a serious risk of breaking down. States may well be unwilling to cooperate in cybercrime investigations, fearing they might expose people whose actions are in no way criminal by their own standards. And, once again, the only ones to benefit will be the cybercriminals who can play off jurisdictions against one another, ducking and diving across borders and through gaps in legal enforcement.

In many ways, the “cyber” in these “content crimes” is just about distribution and they do not have to be included in cybercrime statutes and enforcement efforts. Because states have different types of speech they want to regulate and different levels free speech they are willing to tolerate, these issues need to be kept separate from efforts to address what everyone agrees on as cybercrime: attacks on data, on property, on infrastructure. Crimes of content creation and distribution, beyond the most universally reviled such as child exploitation, should be dealt with outside of the essential cooperation on cybercrime itself. This will allow governments to work together globally to protect citizens, businesses and their own national security from cybercriminals.

The CISO Perspective: Putting lessons from WannaCrypt into practice to avoid future threats Fri, 09 Jun 2017 00:44:49 +0000 Read more »]]> Last month, customers and companies around the world were impacted by the WannaCrypt ransomware attack. Even those not impacted are assessing their risk and taking steps to help prevent such attacks. For everyone, including Microsoft, the attack is a stark reminder of the need for continued focus on security and proven operational techniques. So, after many conversations with my peers in the industry about the attacks in recent weeks and the steps we are each taking to better protect our environments, I wanted to share the common themes that have emerged. I’ve included best practices, technologies and links to more information.

This list is by no means exhaustive, but I hope it is a helpful starting point for those looking for more guidance on how to help protect their environments from present and future threats:

  1. Implement robust update deployment technologies and operational practices so you can deploy updates as consistently and quickly as possible. Companies with complex deployment needs might consider working with IBM BigFix, Landesk/Ivanti, or Microsoft’s System Center Configuration Manager. Our customers can use Windows Update and Windows Update for Business, free of charge. (This is a multi-faceted issue so I’ve added more thoughts below.)
  2. Limit the impact of email as an infection vector. This is particularly important given that more than 90% of cyberattacks start with a phishing email. Developing strong user education and awareness programs can help individual employees identify and avoid phishing emails. Barracuda, FireEye, and Office 365’s Exchange Online Protection and Advanced Threat Protection all provide technology to help prevent phishing and spam emails and other links to malware from getting through to your users.
  3. Ensure the broad deployment of up-to-date anti-malware software. Solutions from industry partners like those in the Microsoft Active Protections Program, as well as technologies like Windows Defender and Advanced Threat Protection, can help protect users and systems from attacks and exploits.
  4. Implement protected backups in the cloud or on-premises, also known as a data protection service. Having multiple versions of your data backed up and protected by measures such as dual factor authentication is a critical layer of protection to help prevent ransomware or malware from compromising your data. Companies can look to vendors like NetApp, CommVault, or Microsoft with Azure Backup for solutions.
  5. Implement multi-factor authentication to protect user identities and minimize the probability of unauthorized access to company resources and data with technologies like RSA SecurID, Ping Identity, Microsoft Authenticator and Windows Hello.
  6. Improve your team’s situational awareness and response capability across your enterprise all the way to the cloud. Cybersecurity attacks are increasingly complex, so businesses need a holistic view of their environment, vulnerability, real-time threat detection, and ideally, the ability to quarantine compromised users and systems. Several companies offer cutting edge capabilities in this regard, including Qualys, Tenable, Rapid7 and Microsoft’s own Azure Security Center and Windows Defender Advanced Threat Protection (WDATP).
  7. Store and analyze your logs to track where an infection starts, how far into your enterprise it went and how to remediate it. Splunk, ArcSight, IBM and Microsoft with our Operations Management Suite – Security all offer capabilities in this area.

Keeping systems up to date is critical so I want to share a few more thoughts about how we approach it as part of our overall security posture. First, there is no one-size-fits-all strategy. A comprehensive approach to operational security – with layers of offense and defense – is critical because attackers will go after every chink in your armor they can find. That said, updating can be difficult in complex environments, and admittedly no environment is 100% secure, but keeping your software up to date is still the number one way to stay secure in a world of motivated attackers and constantly evolving threats.

In terms of how we approach patching and updating at Microsoft, I’m fortunate to have passionate teams working around the clock to limit the impact of infections and update vulnerable systems as quickly as possible. I also know that the Windows team works hard to ensure that they consistently deliver high quality updates that can be trusted by hundreds of millions of users. They conduct thousands of manual and automated tests that cover the core Windows functionality, the most popular and critical applications used by our customers, and the APIs used by our broad ecosystem of Windows apps and developers. The team also reasons over the data, problem and usage reports received from hundreds of millions of devices and triages that real world usage information to proactively understand and fix application compatibility issues as quickly as possible. With all of this context in mind, I want to acknowledge that even more work is needed to make updates easier to deploy and we have teams across the company hard at work improving the experience.

Whether you are a vendor like Microsoft or one of the billions of businesses who count on IT to function, security is a journey, not a destination. That means constant vigilance is required. I hope you find this information helpful on your own journey and as you assess you readiness in light of recent attacks.

You can read more about the WannaCrypt attack in the MSRC Blog, as well as Microsoft President Brad’s Smiths perspective on the need for collaboration across industry, government and customers to improve cybersecurity. Visit our Get Secure, Stay Secure page regularly for additional guidance, including new insights on ransomware prevention in Windows 10.

Cross-border cooperation: The road to a more stable and secure Internet Thu, 08 Jun 2017 16:00:14 +0000 Read more »]]> Australia and China have recently agreed to strengthen their bilateral cooperation in cybersecurity. Cooperation between states on cybersecurity is essential in order to combat cross-border cybercrime and to reduce the risks of inter-state cyberwar. Bilateral cybersecurity agreements between states can help build that cooperation. The real goal, however, should be to achieve multi-lateral consensus and agreement as a basis for a much needed Digital Geneva Convention.

The internet is a multi-stakeholder environment. Not only has it become central to businesses and individuals that operate across borders, but thanks to cyberspace the interactions of states are no longer as constrained by geography as they once. A network of bilateral agreements between multiple states can attempt to model that complexity and depth of relationships. However, differences between individual agreements and gaps of coverage between certain states that have no agreements can be exploited by cybercriminals and can also promote misunderstanding or mistrust between states. Multilateral approaches avoid this problem by creating a single, coherent approach, although they are harder to organize, as reconciling the needs and concerns of multiple states is not straightforward.

The Australia-China deal is a good thing, as both countries are undertaking to not conduct or support cyber-enabled theft of intellectual property (IP), trade secrets, etc. with the intent of obtaining competitive advantage. It echoes the US-China cyber agreement in many ways, which has been credited with a decline in attacks on the US emanating from China (notably those attacks have not stopped altogether).

Significantly Australia and China were clear that alongside their bilateral agreement they would observe  multilateral “norms of behavior” that were created in July 2015 by the United Nations Group of Governmental Experts (UNGGE). These norms are the culmination of work over many years (with key reports in 2010 and 2013) to build a genuine international consensus on what responsible states should do and not do in cyberspace. They, and the work the UNGGE has continued to do since then, are extraordinarily important for delivering a workable Digital Geneva Convention.

The UNGGE is preparing for a further report in September of this year, which should be another important step on the road to a more stable and secure Internet. It is not the only international group helping to shape how states behave in cyberspace, and when you look at the range of organizations involved you can begin to detect a broad momentum towards a genuine multilateral agreement on cyberspace. Since 2013 the OSCE, for example, has worked through a series of confidence building measure (CBMs) that should enable states to minimize the risks of misunderstandings and reduce their fear of attack via cyberspace. Equally significant, in early April 2017 the G7 made a major declaration on responsible states behavior in cyberspace, calling explicitly on governments active in cyberspace to abide by laws, to respect norms of behavior, and to foster trust and confidence with other states.

Outside of the “West”, Shanghai Cooperation Organization (SCO) has made its own contributions, which were built on by the Sino-Russian cybersecurity agreement that emerged at around the same time as the bilateral US-China cybersecurity deal, with a similar bilateral pledge not to hack one another. The ASEAN Regional Forum (ARF) has also stepped up its engagement with the state-to-state engagement in cyberspace, running an ASEAN Cyber Capacity Program (ACCP) that builds member states’ capacities, skills base and incident response capabilities. And another regional group, the Organization of American States (OAS), passed a resolution the only a few weeks ago that committed members to increasing cooperation, transparency, predictability and stability in cyberspace through alignment with the UNGGE’s work.

These states and international fora have to be given immense credit for laying the essential foundations for the next, pressing step: the creation of a binding, multilateral agreement between states that protects civilians and civilian infrastructure in cyberspace. In other words, a Digital Geneva Convention. Bilateral agreements, such as those between China and Australia, are helpful and important, of course, but the emphasis for all those involved in cyberspace should be to support the UNGGE and other multilateral fora as they work to create and spread rules, principles and norms for governing state behavior in cyberspace.

NIST Cybersecurity Framework: Building on a foundation everyone should learn from Wed, 07 Jun 2017 20:00:07 +0000 Read more »]]> On May 16-17, Microsoft participated in a workshop organized by the National Institute of Standards and Technology (NIST) on its recently released Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) Draft Version 1.1. It was a useful discussion, not least because it showed NIST’s continuing commitment to engage in genuine multi-stakeholder dialogue in the development of cybersecurity guidelines and risk management practices. As a colleague of mine wrote some time ago, “Proactive, structured engagements, using public consultation, open workshops with diverse stakeholders, including industry experts, and iterative drafts, really does yield products that are more relevant to the challenges at hand and useful to stakeholders.”

The topical additions to Draft Version 1.1 of the Framework, specifically supply chain security and cybersecurity metrics, show both the durability of the overall approach and its ability to accommodate evolving needs. However, changes must be incorporated in a way that preserves and strengthens the Framework’s broad usability. In particular, Microsoft identified two key areas that should be revised consistent with that goal:

  1. Approaches for understanding risk management posture and goals, including the measurement and metrics guidance, should be developed in supplementary documents rather than in the Framework itself because these approaches are not yet sufficiently stable nor adequately mature.
  2. Supply chain risk management should be integrated throughout the Core’s Subcategories and Informative References rather than within the Implementation Tiers to reduce confusion about how to use the Tiers.

Microsoft has supported the Framework since its inception, and it is integrated into our enterprise risk management program. It influences our security risk culture and informs how we communicate about security capability maturity across our senior management and with our Board of Directors. In conversations with customers, partners, and other industry stakeholders, Microsoft has learned that our positive experience is not unique. In fact, since 2014, the Framework has gained broad recognition as effective guidance for cybersecurity risk management due to its applicability across sectors and organizations of different sizes.

This broad usability has meant that the Framework has gained traction internationally. As governments around the world develop, update, and implement legislation, regulation, or guidelines to protect critical infrastructures, the Framework – as a cross-sector baseline to manage cybersecurity risks – can inform these national efforts and promote interoperability across jurisdictions. Italy and Australia, for example, have already done so.  But more can be done. Microsoft continues to advocate for the U.S. Government to promote use of the Framework domestically and abroad. There is not only an opportunity, but rather a need to internationalize the approach of the Framework. Greater use of will help to enhance cybersecurity across the globe, and importantly, advance economic growth.

To do so, the U.S. Government should promote the Framework globally as the keystone economic objective of this Administration’s international strategy and engagements on cyber. Its efforts should be coordinated across agencies and the opportunities afforded by their missions. For example, the Department of Commerce should highlight the benefits of interoperability to other countries’ economies and security in bilateral, multi-lateral, and regional trade missions and negotiations; NIST should move relevant parts of the Framework into an international standards body; and the State Department should translate the Framework into at least the six official languages of the United Nations and promote the Framework in bilateral engagements, regional and multilateral forums.

As a provider of technology products and services to more than one billion customers and around the world, Microsoft is immensely supportive of approaches such as the Cybersecurity Framework. We have collaborated with domestic and international partners on the Framework, and remain committed to working with industry and government to use, promote, and strengthen approaches that are based on both international standards and public-private dialogue and partnership, which this May’s workshop exemplified.

Microsoft submitted comments on Framework Draft Version 1.1.

Three basic security hygiene tips from Microsoft’s Identity Team Mon, 05 Jun 2017 16:00:38 +0000 Read more »]]> This post is authored by Alex Weinert from the Identity Division’s Security and Protection Team.

Hey there!

I want to share three basic hygiene tips for account protection that every organization should consider. Applying these will go a long way in making sure that only the right users get into to their accounts (and all the things those accounts give access to). While there are many great security features available from Microsoft and our partners, in this blog post I am going to focus on three basic hygiene account security tasks:

  1. Ensure your users are registered and ready for multi-factor authentication (MFA) challenges;
  2. Detect and challenge risky logins; and
  3. Detect and change compromised credentials.

While these don’t guarantee you’ll never deal with account compromises, we find that in most cases implementing these simple practices would have prevented attackers from getting initial intrusion. For account security, it really is true that “an ounce of prevention is worth a pound of cure.” So here is your “ounce of prevention.”

Basic hygiene part 1: Ensure your users are registered for MFA challenges

In a perfect world, no one would ever complete a multi-factor challenge. We would get rid of static rules (“MFA always”) which cause user friction, and replace them with perfect risk detection. Good users would never see MFA challenges – we’d always figure out we were working with a trusted person – and bad guys would never be able to solve them.

Alas, despite many years of hard work on the problem (and substantial improvements), we still have “false positives,” where the system detects risk on a login that belongs to a good user. This could be because

  • the person is travelling to a new location and on a new machine,
  • because they are remoting into a machine in a datacenter far away, or
  • because they are intentionally using anonymizing software and routing (such as TOR).

These are simple examples, but this “grey area” will exist even as our detection gets more sophisticated, because, unfortunately, the bad guys are evolving too. It is their job – through phishing, malware, and the use of botnets – to act more and more like the people whose accounts they are trying to hack. Because of that, we must be able to challenge when we aren’t sure they are good – and that will mean some false positives that challenge good users.

If your users aren’t set up for multi-factor authentication, then your security policy will effectively block them from signing in and doing their jobs. Now, good security enables better productivity, but when organizations (and individual users) are faced with the choice between security and productivity, they choose productivity. MFA readiness allows users to solve the occasional challenge from a false positive, which in turn allows you to have a great security posture. That is why a good MFA registration policy is first on our list for basic hygiene.

In Azure Active Directory, you can use Azure AD Identity Protection to set up a policy to cover your users for MFA registration. Azure AD MFA will allow MFA challenges using voice, SMS, push-notification, or OAUTH token challenges. The registration policy will offer whatever you have configured in Azure AD MFA.

To set up a registration policy with Azure AD Identity Protection, just look at the menu on the left, and under “Configure” choose “Multi-factor authentication registration”.

Once you do this, you can choose the users to include in the policy, see the current state of MFA registration in your organization, and enable the policy.

Now, when a user who hasn’t yet registered for MFA logs in, they will see this:

This process has a few major benefits:

  • The process is “self-help” and built into Azure Active Directory
  • Users can be challenged with multi-factor authentication whenever we see risk in the login
  • Users are familiarized with the process of receiving a challenge

Ok, now that everyone is registered, let’s put all this MFA goodness to work.

Basic hygiene part 2: Detect and challenge risky logins

There are many tools out there for telling you when a login has gone wrong, and a bad guy got in to your resources by pretending to be a good user. While helpful for forensics and improving your security posture for future events, the second step in your “Basic Hygiene” is to prevent bad guys from logging in at all. Azure Active Directory Identity Protection can detect risky logins in real time. Examples are logins from TOR browsers, new or impossible locations, or Botnet infected devices. To see the events impacting your organization, check the “Risk Events” area in Azure AD Identity Protection.

An unfortunate reality is that password leaks are happening daily (the biggest recorded breach was reported last week, at over 1B cred pairs), and 60% of people reuse their usernames and passwords. We detect and block tens of millions of credential replay attacks every day.

Our detection algorithms are based on our experience defending Microsoft’s consumer and enterprise assets, and the assets of our customers. They benefit from the supervised machine learning system which processes 20TB of data a day and self-adapts to new attack patterns, as well as many applied data scientists. Applying this evaluation to conditional access is your path to ensuring that bad actors are stopped in their tracks. That’s where Azure AD Conditional Access comes in. Azure AD Conditional Access is your Swiss army knife for making sure all logins are secure and compliant. It allows you to specify conditions of a login which impose more requirements before a resource can be accessed. With login risk assessment, you can apply a policy to challenge risky logins. Pick “Sign-in Risk Policy” and enable the policy.

With this policy enabled, you can apply a real-time intercept when risk is detected. The end user experience is as follows:

If a bad guy logs in (in this case, emulated from TOR):

The mobile app then gets the approval notification:

And the user simply doesn’t approve (or, if it *is* the good user, can get in), with the same approval process as previously described.

Basic hygiene part 3: Detect and challenge compromised credentials

Users regularly fall for phishing scams, get malware, reuse their credentials on other systems, and use easily guessed passwords. As a result, we see a lot of cases where we are confident that the valid user is not the only one in possession of their password.

If we are seeing a lot of attempted logins or bad activity in a login, or find your users’ credentials leaked on the black market, we notify you of this by setting the “User Risk” score, indicating a probability that the user’s password is known to a bad actor. You can see which users the system is detecting as “At Risk” and why in Azure AD Identity Protection under “Users flagged for risk”. Notice my account about mid-way down on the right is marked as being at medium risk with six events.

(Please note that for hybrid environment, our ability to detect leaked credentials from black market finds requires that you have enabled password hash sync from your on-premises environment to Azure AD.)

I am frequently asked if compromise of the password is significant if the user is configured for MFA – the answer is emphatically yes! Multi-factor authentication is multi-factor if it utilizes at least two different mechanisms (choosing from a secret you know, what you have, and what you are). If the password is compromised, then you really don’t have a valid secret anymore. So, once we detect a compromised credential, it is important to lock out that user until the credential can be remediated, or better, we can have the user change the password themselves as soon as they can do so safely (with MFA). We do this on our consumer (Microsoft account) side, and find that we can get the user to safely change their password before the bad guys have a chance to act about 80% of the time. Our investigations in the enterprise cases show roughly the same results in terms of stopping attacks even when the password is known to the attacker.

Here again, Azure AD Conditional Access is your friend. When the condition includes users at risk of compromised credentials, we can challenge for MFA and require a password change. Look for “User Risk Policy”. In this case, I have configured the policy to require password change when user credential risk is medium or above. For this to work, you need to be mastering your passwords in the cloud, so if you are in a hybrid deployment, be sure password writeback is enabled!

When a user logs in with a user risk score that triggers this policy, they see the following:

On clicking next, they are asked to do multi-factor authentication:

And upon approving the login, the user can change their password.

And importantly – they can carry on with their work! Which emphasizes again the importance of getting those users registered!

So, there you have it! Three easy steps to VASTLY better account protection by doing basic hygiene! In summary:

  1. Ensure your users are registered and ready for multi-factor authentication (MFA) challenges;
  2. Detect and challenge risky logins; and
  3. Detect and change compromised credentials.

Azure Active Directory makes it easy!

Be safe!

Alex (@alex_t_weinert)

Simple steps to help prevent data breaches at your company Wed, 24 May 2017 16:00:22 +0000 Read more »]]> Every company has cybersecurity risks and needs to be aware of them, but understanding your company’s risk profile is just the beginning.

Watch this Modern Workplace episode “Cyber Intelligence: Help Prevent a Breach” to get advice on how to best approach cybersecurity at your company from two Chief Information Security Officers (CISO) – Vanessa Pegueros, CISO at DocuSign, and Mike Convertino, CISO at F5 Networks. Learn how these seasoned security executives make decisions on security spending and how they justify security investments to skeptical executives who may not have ever experienced a security breach.

Knowing what you need to protect is a key component of your security strategy. As Convertino explains, “The value proposition of the company needs to be the thing that you base your protections and recommendations on.” When you have a clear goal for security, it becomes easier to demonstrate the value of your security investments in tools and talent.

You’ll also see a preview of the protection available from Office 365 Threat Intelligence, which lets you monitor and protect against risks before they hit your organization. Using Microsoft’s global presence to provide insight into real-time security threats, Office 365 Threat Intelligence enables you to quickly and effectively set up alerts, dynamic policies, and security solutions for potential threats.

Watch the Modern Workplace episode to learn more.


7 types of highly effective hackers (and what to do about them) Mon, 22 May 2017 16:00:06 +0000 Read more »]]> Would you know what to do if you drew the attention of a hacktivist group? Knowing that damages from a hacktivist attack are typically minor is no relief, as a breach will surely damage your reputation. However, knowing about the different types of hackers, what motivates them, and the tools and techniques they use, can help better prepare your organization to protect against them.

Attacks on organizations around the world are on the rise. Millions of dollars of intellectual property are at risk, as well as the threat of lost productivity. Threats now come from a wide range of sources including:

  • Script Kiddies who exploit existing code to hack for fun
  • Hacking Groups that work together to attack governments and companies
  • Hactivists who use hacking skills to promote an agenda
  • Black Hat Professionals who make a living from hacking
  • Organized Criminal Gangs that steal data to make money
  • Nation States that do political and economic espionage
  • Cyberweapons Dealers who sell to exploit to other hackers

Learn more about the 7 different hackers and get recommendations on how you can better prepare your organization against their potential threats in this free eBook: 7 Types of Highly Effective Hackers.


More than just an ocean separates American and European approaches to cybersecurity Wed, 17 May 2017 16:00:15 +0000 Read more »]]> The recent revision of the National Standards and Technology Institute’s (NIST) Cybersecurity Framework and the publication of European Network and Security Agency’s (ENISA) proposals on implementation of the Network and Information Security (NIS) Directive have made me pause and ponder the progress made (or indeed not) in securing our critical infrastructures since they were both introduced. I was also struck by how much the differences in political culture affect policy outcomes, even when these are largely supported by the broad ecosystems they seek to regulate and/or influence.

The starting point was strikingly similar for both economic powers: the Directive and the Framework seek to improve cybersecurity of critical infrastructures. They came out at around the same time in early 2013, when the European Commission first introduced the Directive and when Obama signed the Executive Order that set out the process that ultimately resulted in the Cybersecurity Framework.

Given the considerable differences in the US and the EU political, legislative and executive “machines” it is no surprise that, even with these common starting points, the two have followed very different paths. The Framework is undergoing its first major revision in 3 years based on changes in threat and experiences of global adopters. The Directive is now only beginning the implementation phase in the  EU member states.

The NIST’s creation of the Framework has been rightly held up as a successful example of public-private partnership. It used an open, collaborative and iterative development process to harness the expertise and experience of cyber and non-cyber stakeholders, hosting numerous open workshops and consulting widely, and not just within the US itself. The result was a Framework that is now being referenced around the world, by businesses and governments and it is being considered as a starting point for ISO 27103.

On the other hand, the processes of aligning 28 different sets of national cybersecurity agendas, and of securing a common view from a European Parliament that has somewhere between four and six major party groups, took considerably longer than the gestation of the Framework. It was a monumental effort and investment on the part of Europe. There were working groups and workshops too, but perhaps because of the efforts to coordinate the necessary agreements at the “top” the resulting Directive lacked some of the obvious “bottom-up” characteristics of the Framework. But the benefit of the Directive, creates durable institutions in EU member states, coordination processes, and security baselines. As a result, the it is likely to result in a very different return on investment than the Framework.

But this should not just be a story of different approaches to cybersecurity policy. The EU approach to building institutions and setting capabilities requirements, if implemented and evolved, will help provide a layer of coordination and security that did not exist. The Framework’s voluntary nature and global adoption is better at preparing enterprises – public and private – for improving risk management measures.

These are substantial differences, from the perspective of both businesses and regulators in these two approaches. However, in the end they may complement each other more than we see today. For example, several EU member states already reference the Framework within their approaches to cybersecurity as they seek to leverage implementing terminology and standards. Looking forward, therefore, it is possible that the two approaches could converge in practical ways. Parts of the Framework might evolve into an international standard, as referenced above, one that can be utilized by a great number of countries. Equally, the implementation of the Directive at EU member state level, and the identification of reference standards, could establish a model that other regions might follow.

Cybercriminals and cyberattacks will inevitably be encouraged and enabled by serious divergence in approaches to cybersecurity, wherever in the world these occur. As such, it seems essential that steps are taken on both sides of the Atlantic to ensure closer harmonization, both to improve the situation of the US and the EU and to set an example to the rest of the world.