This week:

3 – Microsoft doesn’t give a damn about security.

2 – Google does better with its security.

1 – Google is forced to do better with its privacy.
 


 

3 – Microsoft doesn’t care about our security.

“The Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

This is according to a recent review published by CISA’s Cyber Safety Review Board (and mentioned by Ireland’s National Cyber Security Centre).

The Review Board commenced an investigation into how “a hacking group associated with the government of the People’s Republic of China, known as Storm-0558, compromised Microsoft’s cloud environment last year [and] struck the espionage equivalent of gold” because the attackers found a way “to gain full access to essentially any [Microsoft 365] account anywhere in the world [and] Microsoft does not know how or when [the cyber attackers] obtained the signing key” that enabled this level of access.

In the understatement of the year, the Review Board states that “Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products. The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made.”

So what? It looks like “too big to fail” in the banking world translates to “too big to give a damn” in the Microsoft world. Microsoft 365 is the defacto standard within many industries, including in the regulated financial services world. Despite Microsoft’s proven inability to keep their back doors locked, it will be difficult to turn this ship around. We can only hope that regulators find ways to force them into a change of direction.
 


 

2 – Google does better

“Despite the news that Google Workspace is getting some of those cool and trendy AI-based security tools, this one [announcement] alone will have more impact on the security posture of organizations across the world than all that AI crap combined.”

This is according to a recent commentary on Risky Business about Google’s announcement that it has “added a new feature for its [Google] Workspace enterprise platform that will require multiple administrators to approve changes to an organization’s sensitive settings”. It means that “all super admins will be required to approve changes made to sensitive Workspace environments, such as changing MFA settings, account recovery steps, and login and session controls”. As described by Risky Business, this new feature will make it much harder for attackers to “compromise an admin account and then silently make changes to an organization’s sensitive Workspace settings without the rest of the admin team noticing”.

So what? Google may be regarded as laggards when it comes to privacy, but if they keep releasing pragmatic security improvements like this one, they will soon be leading the pack when it comes to security.
 


 

1 – Google is forced to do better

Google has settled a lawsuit that accused it of “tracking Chrome users’ internet activity even when they had switched the browser to the “Incognito” setting that is supposed to shield them from being shadowed”.

This is according to a recent report in SecurityWeek, after Google agreed to purge billions of records of personal data that had been collected from users while they browsed the web using Chrome’s Incognito mode. Google is also adjusting the browser’s explanation of what Incognito Mode does and does not do.

So what? In case you didn’t know, Incognito / Private Window mode in your browser reduces the likelihood of other people who use your device from seeing the sites that you have accessed. But it doesn’t stop your internet service provider (e.g. phone or broadband provider) or website owners from tracking and recording this information. Using a VPN reduces your exposure, but then the VPN provider could also track and record your activity. In other words, don’t ever think you are truly anonymous online. Your data is too valuable to too many companies to allow that to happen!