ISSUE 19.04.F • 2022-01-24

ADVERTISEMENT

We help teams move faster The first project management platform built for users by users.

ON SECURITY

By Susan Bradley

Are we more secure now?

It’s been 20 years since Bill Gates wrote the “trustworthy computing” memo and had Microsoft’s developers take a coding pause so they could be trained in how better to write secure software.

Twenty years later, are we more secure? Do you feel more secure?

I’m not sure I do. You know I watch this every hour of every day, and it sure feels like we are doing the same updating and patching dance over and over, without feeling more secure. We are promised that the hardware and software we buy will meet the safety promises. We certainly deserve that — period.

I think all the vendors need to do a better job in securing the hardware, operating systems, Web browsers, and software applications we use on a daily basis.

Microsoft seems to have a Jekyll-and-Hyde mentality about this. On the one hand, the company has pushed for secure options; on the other, it has pushed options that raised many questions and objections in the user base. Since Version 7 was released, Windows has been set up to allow us to configure a reasonably secure system, but the onus ends up on us to choose the right settings and configurations.

But therein lies the rub — how can we tell whether Microsoft’s choices are designed for our security and safety or are an attempt to funnel us into online subscription services? A simple example of this is the ever-increasing difficulty of configuring Windows to use a local account. Meanwhile, Windows, especially version 11, puts a lot of pressure on us to sign up for that Microsoft account. The company touts the advantages, including security, of its online services rather than making sure those good solutions are built into the products it sells outright.

Recently, I recorded for my local certified public accounting society a seminar on the topic of security. My copresenter was a former supervisory special agent with the Federal Bureau of Investigation (FBI), Brad Maryman. We talked about how long attackers will lurk inside your computer or your network, waiting for the right time to attack. Often it’s not immediate, but more like a time bomb waiting to go off if not discovered first. Many times, the attacker’s goal is to gain information from your system without letting you know it’s happening. As we stated in the presentation, FireEye has noted that the median dwell time for ransomware attacks is 72.75 days before the attack is launched! As Brad emphasized repeatedly during his presentation, users must enable logging so they can fully know how, where, and when attackers have gained access to our information.

The Microsoft 365 subscription that most people purchase does not have logging enabled that would be able to meet that dwell time. Brad recommended that any firm, regardless of size, have at least six months of logging enabled on their mail servers and networks. Yet it’s only after you purchase the most expensive Microsoft 365 Enterprise license, E5, that you are able to configure a year’s worth of logging for your cloud mail server. (For those businesses acquiring the less expensive E3 subscription, only 90 day’s worth of logging is enabled.) An E5 license is US$57 per person per month.

The E5 license is also the only one that gives businesses use of a setting called “MailItemsAccessed,” which allows you to know whether an attacker actually read your email. Without it, you know only that an attacker gained access, but not exactly what they gained access to. Thus you’ll need to assume that everything was breached.

A good explanation of this is available in the Microsoft Public Sector Blog article Discovering Microsoft 365 Logs within your Organization.

Microsoft has made some concessions to smaller businesses in its pricing of Microsoft 365 solutions. Recently, it started a public test of its Endpoint detection services in a specially priced Microsoft Defender for Business that can be purchased separately and will be included in Microsoft 365 Premium. This solution is limited to businesses with under 300 users. It allows small businesses to enjoy some of the same security solutions and recommendations that are included in the top enterprise subscription, E5. Primarily, it provides a console that an administrator can use to help guide the administrator in deploying Attack Surface Reduction rules and other security guidance. But, once again, the administrator has to purchase the security subscription and deploy it.

Alex Fields has just started a series called Unboxing Microsoft Defender for Business, which I can recommend.

Recommendations for consumer and home users

If you go to any retail technology store, you will often be steered toward Chromebooks as a more secure solution because the applications are being run in the cloud, not on the local PC. This may be misleading, especially for home users. First of all, cloud applications are also targets for attackers, as weekly news reports tell us. Secondly, the total security picture includes the Web browser used to access the cloud services. But there are concerns about security of the Chrome platform.

Not a month goes by that we don’t learn of a zero-day vulnerability in the Chrome browser. To the best of my knowledge, there have been a few Chrome browser zero days that have also impacted Chromebooks, so one should never assume that a Chromebook is immune. And, of course, a Chromebook operating system is reliant on one major weakness — the password! Too many of us re-use passwords, especially on cloud services, and we thus introduce the risk that attackers who manage to harvest a password from one of our activities will simply try that credential on different services. Chromebooks and the Chrome browser also suffer from a problem I call the “plugin/extension risk” — malware found in extensions. When cleaning computers, the browser extensions are the first place I look. When I don’t recognize an extension, I immediately remove it.

Recently, the French government fined Google (and Facebook), saying, “the way the companies employ ‘cookies’ — small amounts of data generated while users browse websites and which can be used to track their activity — affects the ‘freedom of consent,’ as Facebook and Google make it much easier for netizens to authorize that data-tracking rather than to decline it.”

With free services, far too often we are the product, and our data is sold to the highest bidder.

While Apple is gaining the reputation of putting privacy and security first, it could also do a better job of being trustworthy. Our own Brian Livingston recently detailed how AirTags can be used to stalk people (Look who’s stalking: Protect yourself from Apple AirTags, 2022-01-10). iPhones have been used worldwide in targeted attacks by the spyware Pegasus. Apple is notoriously slow in fixing security bugs, to the point where researchers have resorted to the low tactic of shaming Apple to get items fixed.

Recommendations for business users

Many business users depend on Microsoft Windows to run critical line-of-business applications, and they simply can’t move away easily. But that doesn’t mean that we aren’t without options. Unfortunately, as I’ve indicated above, it means that we must deploy the solutions — they won’t be automatic. Recently, Mandiant released a white paper showcasing some of the steps to take to better defend yourself from attacks, and Microsoft indicated that nation-states appeared to be launching destructive attacks against computers — to the point that the boot sector was damaged. This type of attack is best protected by an old-fashioned backup routine, one that Microsoft doesn’t make easy to do nor even enable by default. The emphasis is on cloud storage rather than full-image backups.

So? Do you feel more secure? Given the millions of dollars in Bitcoins that ransomware operators get every day, I’d say we aren’t more secure now than we were 20 years ago. Given the increase in cyber-insurance premiums, I’d say insurance companies don’t think so, either.

Bill Gates had three major tenets that he wanted to stress: availability, security, and privacy. He said:

Microsoft’s products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.

The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.

Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information, including controlling the use of email they send.

Twenty years on, we’re still in the same boat. Systems still are not self-managing and are not inherently resilient. We still have a long way to go. Will it take another 20 years? More?

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!