https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61519#M346 <P><SPAN>The article stated “Had they stored and managed in an HSM, this whole (China) thing would not have been possible [said Oberlaender]”.</SPAN></P><P>&nbsp;</P><P><SPAN>This is the crux of the problem.&nbsp; No, not the lack of an HSM, but rather the focus on the "one" root cause.&nbsp; Bullet proof does not exist. Security should come in multiple bullet-resistant layers. S</SPAN><SPAN>ee <A href="https://en.wikipedia.org/wiki/Swiss_cheese_model" target="_blank" rel="noopener">Swiss cheese model</A>.</SPAN></P><P>&nbsp;</P><P><SPAN>An encryption key was compromised.&nbsp; That happens and over time as technology improves (looking at you SSL)&nbsp; That is one layer that failed.&nbsp;&nbsp;</SPAN><SPAN>Somebody apparently failed to check an expiration date. Bugs are a known factor in computing. That is another layer that fails on a seemingly daily basis.</SPAN></P><P>&nbsp;</P><P>The bigger goal needs to be multiple security layers (identity, encryption, validating pedigree of data, routing, physical cabling, guards-with-guns, etc.) all working together to protect the target, each designed to fail loudly and leaving the other layers intact.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Aug 2023 02:26:25 GMT denbesten 2023-08-08T02:26:25Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61511#M345 <P>Hi All</P><P>&nbsp;</P><P>Computerworld has a very interesting article on Microsoft, well worth reading:</P><P>&nbsp;</P><P><A href="https://www.computerworld.com/article/3704132/has-microsoft-cut-security-corners-once-too-often.html" target="_blank">https://www.computerworld.com/article/3704132/has-microsoft-cut-security-corners-once-too-often.html</A></P><P>&nbsp;</P><P>Do you agree or disagree?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:41:21 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61511#M345 Caute_cautim 2023-10-09T10:41:21Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61519#M346 <P><SPAN>The article stated “Had they stored and managed in an HSM, this whole (China) thing would not have been possible [said Oberlaender]”.</SPAN></P><P>&nbsp;</P><P><SPAN>This is the crux of the problem.&nbsp; No, not the lack of an HSM, but rather the focus on the "one" root cause.&nbsp; Bullet proof does not exist. Security should come in multiple bullet-resistant layers. S</SPAN><SPAN>ee <A href="https://en.wikipedia.org/wiki/Swiss_cheese_model" target="_blank" rel="noopener">Swiss cheese model</A>.</SPAN></P><P>&nbsp;</P><P><SPAN>An encryption key was compromised.&nbsp; That happens and over time as technology improves (looking at you SSL)&nbsp; That is one layer that failed.&nbsp;&nbsp;</SPAN><SPAN>Somebody apparently failed to check an expiration date. Bugs are a known factor in computing. That is another layer that fails on a seemingly daily basis.</SPAN></P><P>&nbsp;</P><P>The bigger goal needs to be multiple security layers (identity, encryption, validating pedigree of data, routing, physical cabling, guards-with-guns, etc.) all working together to protect the target, each designed to fail loudly and leaving the other layers intact.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Aug 2023 02:26:25 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61519#M346 denbesten 2023-08-08T02:26:25Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61541#M347 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>As we all know, it only takes one break in the layers for it to be exploited.&nbsp; Given the organisation, this simply should not have happened had they have correct compliance checks in place.&nbsp; For instance, they have to report to their CEO every 90 days based on the SOX Act.&nbsp;</P><P>&nbsp;</P><P>It appears to me, that they are not doing their due diligence rigorously - simply mistakes like this normally result in financial penalties against the organisation.&nbsp; The issue with Microsoft is they have grown so big, they have forgotten the basics, and many of those checks should be automated and validated to reduce the likelihood of these issues.</P><P>&nbsp;</P><P>It is not good enough - discounts to client</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Wed, 09 Aug 2023 00:56:52 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61541#M347 Caute_cautim 2023-08-09T00:56:52Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61544#M348 <P>An encryption key was compromised. That happens and over time as technology improves (looking at you SSL) That is one layer that failed. Somebody apparently failed to check an expiration date. Bugs are a known factor in computing. That is another layer that fails on a seemingly daily basis.</P><P><A href="http://spotiflyer.net" target="_self"><SPAN>Spotiflyer</SPAN></A></P> Mon, 14 Aug 2023 05:08:48 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61544#M348 charlie323a 2023-08-14T05:08:48Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61578#M349 <P>Another critic from Crowdstrike has come out swinging about Microsoft and security:</P><P>&nbsp;</P><P><A href="https://www.forbes.com/sites/tonybradley/2023/08/10/crowdstrike-microsoft-is-failing-at-security/?sh=602a040a10fe" target="_blank">https://www.forbes.com/sites/tonybradley/2023/08/10/crowdstrike-microsoft-is-failing-at-security/?sh=602a040a10fe</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Fri, 11 Aug 2023 05:07:17 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61578#M349 Caute_cautim 2023-08-11T05:07:17Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61596#M350 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/809125741">@Caute_cautim</a>&nbsp;wrote:<BR /><P>it only takes one break in the layers for it to be exploited.&nbsp;</P><HR /></BLOCKQUOTE><P>But hopefully a break in one layer only affects that layer.&nbsp; In Azure IAAS, we do not assign public IPs directly to hosts.&nbsp; Instead, we assign the public IP to a 3rd party firewall which NATs to the&nbsp;internal host. This means that for someone to breach our host, it is necessary to both exploit a firewall vulnerability and an Azure vulnerability.&nbsp; This is what I mean by layers.</P><P>&nbsp;</P><P>Unfortunately, Azure fights 3rd party firewalls every step of the way by breaking deployment templates if one administratively disables public IPs; by enabling public IPs by default on their PAAS stuff, requiring SAAS be visible over internet (one cannot deny access to the login prompt).&nbsp; And, if we were to host the firewall in Azure, their "routing" [sic] has no concept of a firewall with interfaces in two different routing domains, so routing-around-the firewall is a constant risk.</P><P>&nbsp;</P> Fri, 11 Aug 2023 17:30:18 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/61596#M350 denbesten 2023-08-11T17:30:18Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/62358#M354 <P>Hi All</P><P>&nbsp;</P><P>Here is a follow up to this issue.</P><P>&nbsp;</P><P><A href="https://securityintelligence.com/articles/lessons-learned-from-the-microsoft-cloud-breach/" target="_blank">https://securityintelligence.com/articles/lessons-learned-from-the-microsoft-cloud-breach/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Wed, 30 Aug 2023 03:46:24 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/62358#M354 Caute_cautim 2023-08-30T03:46:24Z https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/62638#M356 <P>Hi All</P><P>&nbsp;</P><P>A follow up to the original reports:</P><P>&nbsp;</P><P><A href="https://www.darkreading.com/attacks-breaches/microsoft-ids-security-gaps-that-let-threat-actor-steal-signing-key" target="_blank">https://www.darkreading.com/attacks-breaches/microsoft-ids-security-gaps-that-let-threat-actor-steal-signing-key</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Sat, 09 Sep 2023 06:19:47 GMT https://community.isc2.org/t5/Cloud-Security/Has-Microsoft-cut-security-corners-once-too-often/m-p/62638#M356 Caute_cautim 2023-09-09T06:19:47Z