A new report from the US Cyber Safety Review Board has found that Microsoft could have prevented Chinese hackers from breaching US government emails through its Microsoft Exchange Online software last year. The incident, described as a “cascade of security failures” at Microsoft, allowed Chinese state-sponsored hackers to access online email inboxes of 22 organizations, affecting more than 500 people including US government employees working on national security.
The US Department of Homeland Security (DHS) has released a scathing report that found that the hack was “preventable” and that a number of decisions inside Microsoft contributed to “a corporate culture that deprioritized enterprise security investments and rigorous risk management.”
The hackers used an acquired Microsoft account (MSA) consumer key to forge tokens to access Outlook on the web (OWA) and Outlook.com. The report makes it clear that Microsoft still isn’t sure exactly how the key was stolen, but the leading theory is that the key was part of a crash dump. Microsoft published that theory in September, and recently updated its blog post to admit “we have not found a crash dump containing the impacted key material.”
Without access to that crash dump, Microsoft can’t be sure exactly how the key was stolen. “Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account,” says Microsoft in its updated blog post.
Microsoft acknowledged to the Cyber Safety Review Board in November that its September blog post was inaccurate, but it was only corrected months later on March 12th “after the Board’s repeated questioning about Microsoft’s plans to issue a correction.” While Microsoft fully cooperated with the board’s investigation, the conclusion is that Microsoft’s security culture needs an overhaul.
“The Board finds that this intrusion was preventable and should never have occurred,” says the Cyber Safety Review Board. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The findings from the board come in the same week that Microsoft has launched its Copilot for Security, an AI-powered chatbot designed for cybersecurity professionals. Microsoft is charging businesses $4 per hour of usage as part of a consumption model to access this latest AI tool, just as the company struggles with an ongoing attack from Russian state-sponsored hackers.
Nobelium, the same group behind the SolarWinds attack, managed to spy on some Microsoft executive email inboxes for months. That initial intrusion also led to some of Microsoft’s source code being stolen, with Microsoft admitting recently that the group accessed the company’s source code repositories and internal systems.
Microsoft is now attempting to overhaul its software security following the breach of US government emails last year and similar cybersecurity attacks in recent years. Microsoft’s new Secure Future Initiative (SFI) is designed to overhaul how it designs, builds, tests, and operates its software and services. It’s the biggest change to Microsoft’s security efforts since the company introduced its Security Development Lifecycle (SDL) in 2004 after the devastating Blaster worm that hit Windows XP machines offline in 2003.
GuerrillaBuzz via Unsplash
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!