Microsoft Overhaul Treats Security as 'Top Priority' After a Series of Failures 55
Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. The Verge: After a scathing report from the US Cyber Safety Review Board recently concluded that "Microsoft's security culture was inadequate and requires an overhaul," it's doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft's senior leadership team. Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts.
Just days after announcing this initiative, Russian hackers managed to breach Microsoft's defenses and spy on the email accounts of some members of Microsoft's senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code. These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft's security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a "cascade of security failures" led to that incident. "We are making security our top priority at Microsoft, above all else -- over all other features," explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. "We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones."
Just days after announcing this initiative, Russian hackers managed to breach Microsoft's defenses and spy on the email accounts of some members of Microsoft's senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code. These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft's security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a "cascade of security failures" led to that incident. "We are making security our top priority at Microsoft, above all else -- over all other features," explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. "We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones."
Guess they ate their own dog food (Score:3)
wow, really? (Score:4, Interesting)
While I don't use microsoft products unless forced to use them (work) I am surprised that their security is this bad.
They have been top dog in the enterprise space for decades, have virtually unlimited money to spend on improving their product. To see this happen, theft of code, and senior officers getting hacked.
Wow, just wow.
Is it incompetence? malfeasance?
How can something like this happen today, in 2024, with all that we know about security.
Re:wow, really? (Score:4, Insightful)
Greed, too. Security logging is extremely limited unless you're buying their top end packages. Even some basic logging is locked behind a paywall so you can't easily figure out if you have compromised user accounts in your organization. Last year, they opened some of that up to government customers. But everyone else has to still pay extra.
Re: (Score:2)
Indeed. They so not even seem to be able to afford that security logging themselves, because they noticed nothing and they still do not know how the attackers got in.
Re: (Score:3)
Well, what do we "know" about security really? Have two "high security" companies point their security auditors at each other and most likely they'll both fail each other, while they would pass themselves. "Security" experts regularly hold contrary views from each other on the "secure" way to do this or that. There's some obviously "bad" security practices, but a lot of disagreement on "good" security practices.
Very unhelpful is the myriad of "security" vendors hawking their wares and many of these argua
Re: (Score:3)
Get independent security consulting and security audit from _small_ companies. And then you may find out that we know a _lot_ about security and how to do it right. Most people just do not want to hear it because it cost money and they may have to change some things.
Re: (Score:2)
Security experts love to argue. But this is a good thing about security experts! So if you say "I want an easy way for customers to access their records without the hassle of dealing with password rules or PKI", you WANT the expert who tells you that you're an idiot.
We had a security expert who'd regularly tell people (managers, designers, even executives) that their designs were flawed. They really did not like him at times because of this. He was abrasive, but he was also right. Security is not like
Re: (Score:3)
I'd say there should be a path of not dealing with password rules by getting away from passwords.
I also say that the fact that PKI is considered annoying is a bit of a failure of the industrey to make it easier. Fundamentally, it's not a hard thing, but usability hasn't been high on the list.
Big problem in general is that you have some people on one side trying to get stuff done, but being woefully clueless about security, and then on the other side people who *only* care about security, failing to underst
Re: (Score:3)
Is it incompetence? malfeasance?
How can something like this happen today, in 2024, with all that we know about security.
Simple: No penalties, no liability, no warranty for software and software-based services and the usual idiots throw money at them like crazy. Hence they simply do not care (malfeasance) and there is also evidence enough they simply cannot do things right (incompetence). What Microsoft needs is software liability. And then to die as a result of that.
Re: (Score:3)
It's entropy, plain and simple. Sooner or later, no matter how secure an organization may be at any given point, skip ahead a few cycles, and attention to detail wanes. Managers stop asking questions, project leaders reprioritize thinking the problem is solved, staff do a "monkey see, monkey do", and then new gaps open up, get taken advantage of, management go into a state of denial, project leaders can't get their teams to give a damn, and then the inevitable breach or audit reveals the extent of the vulne
Re:wow, really? (Score:5, Insightful)
Spent five years with Microsoft Consulting Services (MCS) working the DoD account.
1) MSFT has outsourced its internal IT, from the authentication services to the endpoint, soup to nuts. So forget knowing much in-house about that.
2) MSFT careers are mostly measured in times briefer than mine, so institutional knowledge is in short supply.
3) MSFT hires a lot of people direct from college from masters' degree programs and such. So expecting a lot of industry knowledge - unlikely.
4) MSFT, to the extent it's not sales centric, which it very much is, is developer centric. This means people who know jack about infrastructure are rare, and those who float to the top are salespeople themselves with limited technical acumen.
5) MSFT developers are generally clueless about security best practices. They weren't asked to be and had no reason to become so.
6) MSFT's cloud arm is chronically understaffed and has significant tech debt. Meaning the hard examinations of security best practices are generally not happening.
7) MSFT does have security people inside itself, however they are barely listened to about internal matters and mostly thrown at customers to provide (paid) best practices discussions.
8) None of the steps consistent with fixing the glaring problems are immediately consistent with making quarterly numbers, which is the prime directive at MSFT.
Re: (Score:2)
How can something like this happen today, in 2024, with all that we know about security.
It's a lot like STIs. With all we know, how do they spread? Only someone who has no hope of having sex asks that.
Oh, right - this is Slashdot!
It's all about incentives. There are a lot of them that are more compelling than security, safety, and health.
Re: (Score:2)
To quote Lily Tomlin in her Ernestine the phone compnay operator: "We're the phone company. We don't care. We don't have to."
They treat customers like dirt, treat the need for security in the products given to customers as a waste of time, unilaterially and hilariously declare themselves experts on security while everyone knows them to be incompetent buffoons. So it comes back to bite them. "With all that we know about security" does not apply to Microsoft.
With the "eat your own dog food" metaphor it m
Re: (Score:2)
Is it incompetence? malfeasance?
Maybe a little of column A and a little of column B, but it is column C that dominates: Arrogance.
Almost nobody on this planet second guesses their successes. They just roll with the success and assume that their thought processes is what caused the success. Once you begin relying on your own thought processes for success, you can legitimately be called "arrogant". Arrogance is a tough drug to quit. Microsoft has exactly zero chance of it since their business allows them to laugh at government regulations.
Microsoft is our problem (Score:5, Insightful)
The US government’s over-reliance on Microsoft is the big problem.
https://arstechnica.com/inform... [arstechnica.com]
Re: (Score:2)
Consumerism feeding opinion on government is the issue. Governments shouldn't always be buying out-of-the-box systems from IT vendors. They almost never get the support they need anyway. And then we cut budgets for government IT to put it more in line with consumer expectations.
You can talk about the aging IRS infrastructure, but the stuff they built 50 years ago is still being used. They just didn't get the budget to maintain and continue to improve it.
"Top Priority" (Score:5, Informative)
Heard this before from Microsoft. We'll see.
Re: (Score:3)
Yes, I think it was around the time Bill Left M/S. But, everytime a large company says "xxx is our top-priority", the exact opposite happens. So it was top like 20 years ago, all that happened was spyware was eventually added because "blame the users".
Can't wait to see how much worse M/S will make things. FWIW, it is not just M/S, but many big companies go down this path. Remember IBM's 5 year plan :)
Introducing new tech to 'hide' old unsecure tech (Score:2)
Is anyone else getting that Microsoft's 3 year ;long term' support lifecycle for core products, APIs, Azure features
just a cover so that they always can sell the new technology solution to hide the fact that the existing 'industry strength and industry quality' solution gets forgotten?
A conjecture: Is the lowering quality of security correlated to the rise in the number of disconnected systems and lightly tested integration APIs?
Each interconnect between systems is a wedge point for people to attempt to bre
A way to move forward (Score:2)
Our newer projects have a much more limited range of what technologies, cloud services, open-source packages and APIs to use because of the too many moving parts risk.
It can be as simple as building slightly larger applications,
writing the 4 extra lines of code instead of using a 1 person supported open source library,
using existing tools to do what they do well (basic referential integrity checking a database instead of a service layer),
requiring a minimal level of business justification, time/cost/risk an
ChatGPT odd way it can help (Score:2)
Write prompts for how to write some come which always include "Write a java function to do X. Do not use third-party libraries. Do not use open source packages. Do not use A, B, C" .
Essentially, asking the AI to write a code sample so that it is as simple as possible and does not tie itself to extra risk of unknown quality open source or third party libraries. The AI training set has dozens of example code using a well-known open source package which
the open source package is already end of lifed or zomb
Re: (Score:2)
"writing the 4 extra lines of code instead of using a 1 person supported open source library," - my son bitches about this in other people's code all the time. "Why, just why??"
You don't save by using a library for trivial code (Score:2)
Question to ask your development team:
How many lines of code saved makes it lower TCO over 5 years when you use a third-party library instead of writing the code without the third-party library?
Sure it saves you 5 lines of C# code today, and takes 30 minutes, but how much will it cost for the next developer and how much will it cost for the development team to replace when the 1 guy in Nebraska maintaining the library retire?
XKCD - Dependency - https://xkcd.com/2347/ [xkcd.com]
Re:"Top Priority" (Score:5, Informative)
When Howard Schmidt was asked about his time as security chief at Microsoft, having been named special adviser for cyberspace security to the White House by Bush, he said security was a top priority there. A couple of years later, Gates announced that Microsoft never viewed security as a priority and announced the entire company was going to drop their regular duties and spend a month on security training.
Re: (Score:1)
Re: (Score:2)
I predict this is for show and they will simply get that money some other way.
Re: (Score:2)
no they created new positions to take the hit
news at 11
Top Priority (Score:5, Informative)
This has to be the eighth time in the last twenty years that Microsoft has declared security to be the top priority, yet nothing ever changes. The Press treats each declaration as the most important statement ever made, and the Microsoft apologists proclaim the announcement as proof that this isn't your father's Microsoft.
I somehow doubt the cycle will be broken this time.
Re:Top Priority (Score:4, Interesting)
And why should things get better? They rake in more cash than ever for their crap. Nothing happens to anybody responsible for this extreme mess. So they will continue to sell crap.
The most toppiest toppness ever, believe me! (Score:2)
> This has to be the eighth time in the last twenty years that Microsoft has declared security to be the top priority, yet nothing ever changes.
I indeed remember multiple from the past also.
"But this time it's top top top priority, not just top top priority".
I once had a non-IT PHB-like manager who would rank ALL items on my to-do list "A+" (top-most importance). I pointed out that doesn't tell me which to start on first, but the PHB replied, "If I put B's and C's, you won't be motivated to get to them."
Re: (Score:2)
How the F do humans that dumb get to be managers?
Simple: They cannot do anything valuable and hence try really hard to be managers. And the other managers that got into their positions the same way really welcome the non-competition. Can you imagine what utter catastrophe (for the other managers) an actually competent manage would be? People could notice that they are only faking it all the time!
Re:Top Priority (among 20+ other top priorities) (Score:2)
This has to be the eighth time in the last twenty years that Microsoft has declared security to be the top priority, yet nothing ever changes.
Of course, because just like any other large companies run by PHBs, they have dozens other "top priority" stuff like making more profits, cutting costs and delivering projects, that their engineers still have no time to bother about security.
If someone hearing "Top priority" thought that would meant security to be of higher priority than other things, that someone had not worked in any larger company before.
No they won't! (Score:5, Insightful)
This isn't the only move they need to make, but it's one of the most important. Other steps they have to do:
1. Open Source all products.
2. Provide independent third party audits.
3. Remove all tracking and analytic scraping.
4. Remove all Ad ware, and AI (unless they can secure the AI).
4. Remove online accounts by default from Windows.
5. Provide complete process transparency on Windows.
6. Put a Firewall / Security stack in place on Windows, that is actually decent.
Basically they're going to change Windows / Office into Linux / LibreOffice, and also crank the security up, so it's professional. Essentially, Microsoft is going to turn into a respected professional service company, and does anyone believe that?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Hahahahaha, good one! (Score:5, Insightful)
No, they are not doing that. They did not do that last time either. They pretended to care about security for a while and then they proceeded to establish the utterly crappy state they are in now. The same will happen this time.
Never make anything harder (Score:3)
The one thing everyone seems to universally be unwilling to do to secure systems is work. It is for example always online backups and never physically disconnected storage.
It is always stupidly massive aggregations of authority creating one rings to rule them all (e.g. AD) rather than decentralized management.
People keep piling on layers upon layers of indirection with their network segmenting and NAP shit that is of course all then centrally managed.
Random example just yesterday OpenSSL announced they were moving everything to github because it is cool or security or some such bullshit. I'm increasingly amazed by just how much opportunity/value and thereby incentive for mischief is being aggregated into the hands of so few.
There is never any real consideration given to actual isolation and decoupling. They just keep piling on top of their house of cards creating bigger and bigger incentives for mischief with increasing global consequences.
Meanwhile the low hanging basics NEVER get addressed. There is still no secure way to enter credentials into any Microsoft product. When I log into anything the one and only way I should be able to do that is by invoking SAS. That simply doesn't even exist. There to this day is still not a single secure ZKP based authentication protocol in any of Microsoft's products. The solution is ALWAYS tunneling legacy nonsense over separately secured channels while paying lip service to verifier impersonation. Yes never-mind the single biggest threat is phishing go check your email or phone app for the code you need to enter to login anyway for security... madness.
Just one giant shell game where people keep piling on layers upon layers of complexity to build ever more elaborate houses of cards with all kinds of fancy bullshit that enables them to pretend that isn't what they are actually doing.
Re: (Score:2)
In case you have not notices, it is always the incompetent that are selected as "leaders". And they then select people to work for them that are no threat because they are even less competent. In some rare conditions, actually competent people may be hired to help, but they are soon gotten rid of after they are not needed anymore, because they make everybody else appear in a bad light. Stupidity, arrogance, incompetence, greed. Always the same crap with the human race.
QA (Score:2)
Maybe getting rid of QA and letting customer's find bugs isn't a great pipeline.
Security can't be the top priority (Score:2, Redundant)
By law, as a publicly traded corporation, shareholder profits are the top priority.
Re: (Score:1)
Security is #1 until it isn't (Score:2)
Security (and reliability) are always secondary priorities until some customer escalates to an executive who then is outraged and declares an emergency resulting in something being a big priority, then when the eyeballs fade away, things return to normal secondary priority.
Paying Management, Not the Workers (Score:3)
As usual.
If they want their bonuses, they have to lean on their workers who have no financial incentive to put in the extra time or effort. A lot of security issues come from workers just not knowing what they're doing. Which means they need the compensation to go pay for classes and to put in the hours to become better so that they don't accidently put in security holes.
Senior management team (Score:2)
"We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones."
Would it not be more effective to treat the SMT like other workers, and just sack them forthwith if or when there is insufficient progress?
Re: (Score:1)
Shareholder value (Score:1)
No QA (Score:2)
security theatre (Score:2)
This story has been repeated month after month, year after year, decade after decade since Windows 1.0. This is why anyone doing any real business on the network has never used Windows for anything serious. The ones who continue doing so, do so at their own peril.