Microsoft Delays Recall Rollout; AWS Mandatory MFA for Privileged Accounts; Microsoft Announces Changes to Outlook

This feature is a great litmus test for thinking 'Security First.' You can easily understand a developer writing such a tool for personal use and someone seeing it and saying 'Cool, that would be a killer feature in Windows!!' A 'What Could Go Wrong' session would quickly lead to not only no way for a Windows feature, but delete that function right now from any developers' machines!! One key reason for killing the feature forever is the scary thought of AI engines ingesting random screen shots of users' screens - Microsoft has already suffered an enormous privacy breach after AI ingested contents of users' hard drives.

John Pescatore

Copilot has multiple forms, app, Edge, Windows, Pro, and 365, and is positioned as a replacement for Cortana, initially branded as Bing Chat, which means you need to not only be conversant on which version is where, but also what they do and if they fit within your security constraints. Specific to Recall, considering the functionality, you need to understand where the snapshots are stored and what is discernable from the local AI. To evaluate Recall, you're going to need to get a Copilot+ PC and install Recall from the Microsoft Insider Program.

Lee Neely

This whole sorry tale has done major damage to Microsoft's reputation regarding putting security before features. The phrase 'closing the barn doors after the horse has bolted' comes to mind.

Brian Honan

I am glad Microsoft is listening to us; however, let's face it, this feature is in preview. It's available to be pulled down and installed. Is there going to be a threat actor that puts two and two together and makes it so that this preview feature is installed for them to use going forward? The problem is not that it's a delayed feature now; the problem is that it's officially part of the system and can be enabled through an update. It's also still not fully secured. They need to pull this until it is properly hardened.

Moses Frost

It is difficult to reconcile this initiative with "Security First."

William Hugh Murray

AWS is helping lead the push to MFA adoption, which is fantastic. Not only is this one of the most critical controls to reducing account takeovers, but most likely quickly becoming one of the most critical controls if you want cyber insurance.

Lance Spitzner

AWS has been raising the bar on enforcing MFA for privileged account, starting with organizations management root accounts back in October of 2023, now moving to root users of standalone accounts. Adding support for passkeys provides another attractive option you can leverage to incentivize users to adopt not just MFA, but phishing resistant MFA. Given the shenanigans around compromising reusable credentials, you should already be using MFA for AWS accounts, root or otherwise.

Lee Neely

It is good to see AWS making MFA mandatory for privileged accounts. Sadly, I often see 'professional' IT people claim they do not to need MFA because they would never fall for a phishing attack and they use strong passwords. Sadly, making things mandatory is often the most effective way to manage this risk. However, we as an industry have a long way to go to make identify and access management something that is painless and user friendly both for those administering and running systems and platforms, and those that use them.

Brian Honan

The implementation of mandatory MFA is timely given the recent Snowflake incident. Hopefully, AWS will expand mandatory use of MFA to non-privileged accounts to complete the journey away from passwords.

Curtis Dukes

Good to see, good to do for all your internal privileged users if you can't do it for everyone.

John Pescatore

Better late than never; strong authentication has been essential and efficient for at least a decade. Many implementations are even more convenient than passwords. However, one of the limitations of strong authentication schemes is that they may require user cooperation to setup. This makes mandating them on one's customers problematic. However, relying on fraudulently reusable credentials for infrastructure is reckless. It is long past time to stop treating infrastructure as "the cloud," soft, hazy, and often opaque.

William Hugh Murray

Similar to the AWS initiative of pushing people to stronger authentication options, but two differences here: First, Microsoft is not requiring the use of MFA; instead, they are requiring the use of mail apps that support Modern Authentication methods. Second, they are actively EOLing support of anything that does not support that. This is a fantastic first step to ensuring people can use and support strong authentication methods. The challenge for Microsoft (and any vendor) is making strong authentication as simple as possible. Requiring MFA for IT Admins and Developers is one thing, requiring it for the Ordinary Computer User is a whole different challenge.

Lance Spitzner

This moves the free Outlook/Hotmail/Live.com users from password-based authentication to token based authentication. This will manifest itself in two ways. First, users will see an authentication prompt asking you to trust the Microsoft authentication service. Second, users who are not on supported clients will no longer be able to authenticate. This includes the old Mail and Calendar apps on Windows. Microsoft is replacing these with free Outlook for Windows. You will still be able to use the Outlook Web App, but use a current browser (Current Edge, Chromium, Safari and Firefox browsers work) as the old lightweight version, for older/less capable browsers is also retiring.

Lee Neely

Similar to AWS item above, all movement away from reusable passwords is good movement. Since Microsoft is investing billions of dollars in AI, I'd like to see announcements of email processing able to detect AI generated content.

John Pescatore

Appears to be a two-fold strategy by MSFT: First, some housecleaning for outdated applications to include the mandatory use of MFA Ð a good thing. Second, perhaps some positive press for their Secure Future Initiative, given the pummeling they've received over multiple security lapses.

Curtis Dukes

This recovery is going to take a bit: Synnovis is talking about restoring services over the next few weeks. The impacted Trusts have been working to reschedule and adopt to meet patient needs. No ill will towards Synnovis, this is hard and uncomfortable, I wish them well. Even so, this begs the question of how you would survive an outage of a critical service provider. How long are your workarounds viable? Have you investigated a secondary or fail-over option?

Lee Neely

The good news is services are on-line, some data is still being restored, bad news, information was exfiltrated. Patients are being offered free credit monitoring and identity theft services. Ascension is being transparent in stating the root cause was social engineering, that an employee downloaded a malicious file they thought was legitimate. We've all been there, definitely a good example to incorporate into your training. While you're at it, look at their cybersecurity event site for some ideas on how to share the information about the event and what is impacted.

Lee Neely

Those users and applications (e.g., email, browsing, file transfer) must be isolated from mission critical applications (e.g., EHR).

William Hugh Murray

This is another Black Basta attack, resulting in Key Tronic having to shutdown US and Mexican operations for two weeks while the attack was responded to. Interesting that PII was taken in the attack; I would have assumed the target was the IP related to their PCBA activities. Lesson learned: all data is a target. It's the consequence of loss that changes.

Lee Neely

In its latest year, Key Tronic reported revenue of $588M. One leaves it to its management to judge whether a $600K expense is material. However, the SEC rule seems to be inviting defensive reporting. More experience will be necessary to see the long-term effect of the rule.

William Hugh Murray

Discovering a breach after your regulator initiates an inquiry is not ideal. The question is why didn't they already know about the incident? Do you have sufficient visibility into systems to detect anomalous activities? Have you moved to incorporating application logs into your SIEM? Are you deploying EDR tools on your servers? EDR tools now have functionality which can both alert to and block certain types of malicious activity. Make sure you're leveraging the tricks of the tools you're already deploying to your advantage.

Lee Neely

The compromised credentials were used to access PII such as names, birth dates, social security numbers, diagnosis, prescriptions, health insurance information, patient IDs, medical record numbers, Medicare/Medi-Cal numbers and financial information. One hopes part of the after-action is to implement comprehensive MFA as well as breach monitoring for compromised credentials. The stakes are too high, particularly in any medical related field, to not raise the bar, particularly with offset against the cost of a recovery, or credit monitoring/restoration for affected users.

Lee Neely

Credential theft is one of the key paths for evildoers to access a target's IT infrastructure. It essentially unlocks all the doors without alerting any security mechanisms that may be in place. For the employee, MFA and security awareness training are two relatively low-cost tools that can be used to limit credential theft.

Curtis Dukes

Blackbaud misrepresented both the scope of the breach and the level of their security practices. Since this incident, we've seen the value of being as transparent as possible about breach details; it can make the difference between recovery and a going out-of-business sale. When it comes to security claims, assume that trust-but-verify is in play, conduct assessments, internal or external and address issues, rather than assuming nobody will discover issues.

Lee Neely

The key phrase is, 'failure to implement reasonable data security' The Center for Internet Security (CIS) recently published ÔA Guide to Defining Reasonable Cybersecurity where they provide guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity. Give it a look. CISecurity: Reasonable Cybersecurity Guide https://www.cisecurity.org/insights/white-papers/reasonable-cybersecurity-guide

Curtis Dukes

While the charges were related to the breach, they resulted from the "coverup." Err on the side of candor.

William Hugh Murray

For ANY router like this, never expose the web based admin interface to the internet. Note that D-Link also released patches this week for a similar severe vulnerability. Add a calendar event to check for router firmware updates once a month.

Johannes Ullrich

The vulnerabilities could be weaponized to own these devices. The primary fix is to update the firmware on affected devices. Workarounds include both ensuring long complex passwords are used and disabling internet reachable services, such as remote access, port forwarding, DDNS, VPN server, DMZ, port triggers. Given the impact of disabling these services, applying the firmware update will be faster and easier. Even so, ensure WAN based administration is disabled and strong passwords are used.

Lee Neely

One imagines some casino operators want a piece of this guy. In addition to Tyler Buchanan's arrest, another alleged Scattered Spider gang member, Floridian Noah Michael Urban, was arrested in January. This was a joint operation between the Spanish Police and the FBI and was a complex challenge due to the structure of the gang. Law enforcement is learning how to work with the non-traditional structure of current gangs to facilitate future takedowns, putting them on notice that their days of being untouchable are numbered.

Lee Neely

Amidst all the news stories about the damage and harms criminals inflict on people, for example the Synnovis Breach story, it is good to see law enforcement are able to identify suspects and arrest them.

Brian Honan

The fired employee accessed the system multiple times in 2022 and 2023, from India and Singapore. Two factors to ponder: First, how well does your account termination/lockout process work? Consider voluntary and involuntary separations. Include employees transitioning status, e.g. from employee to consultant. Second, have you enabled unexpected access scenario detection - particularly for privileged accounts? Should that account be logging in form another country? Not every function needs to be allowed from anyplace on the Internet.

Lee Neely

An example of the importance for all parts of a company, Legal, HR, IT, and Information Security, to create and actively manage the process for departing employees. An employee's accounts should be suspended within minutes of their termination.

Curtis Dukes

Does your insider incident response plan include someone deleting all your machines and backups?

Moses Frost