A cybersafety review board criticizes the cloud security practices of one of the largest government technology vendors.
The CSRB, in its report released Tuesday, details a review of the Microsoft Exchange Online hack in the summer of 2023. The report also includes several recommendations on how agencies can improve cloud security across government and beyond.
The board found that “a series of avoidable Microsoft errors” contributed to the incident in which hackers stole unclassified emails from 22 organizations and more than 500 victims, including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns, Rep. In the House of Representatives Don Bacon (Republican). -Nip.)
“The Board is of the opinion that this intrusion could have been prevented and should never have occurred,” the report said. “The Board also concludes that Microsoft's security culture was inadequate and requires a comprehensive overhaul, particularly in light of the company's centrality in the technology ecosystem and customers' level of trust in the company to protect their data and operations.”
In a statement, a Microsoft spokesperson pointed to the company's recently announced “Secure Future Initiative.”
“While no organization is immune to cyberattacks from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve operations, and enforce security standards,” the spokesperson said. “Our security engineers continue to harden all of our systems against attacks and implement more robust sensors and logs to help us detect and repel our adversaries’ cyber armies. We will also review the final report to make additional recommendations.”
“Microsoft’s Failure of Regulatory Oversight and Governance”
The CSRB report criticizes Microsoft for a range of security issues that the report says contributed to the Exchange Online hack.
It found that Microsoft lacked identity security controls that were standard for other cloud providers. Furthermore, the review found that Microsoft's encryption key rotation practices were outdated, allowing hackers to leverage the 2016 key to forge access to Exchange Online accounts.
The board said Microsoft “did not give sufficient priority to restructuring its legacy infrastructure to address the current threat landscape.”
The CSRB said the company still doesn't know how hackers obtained Microsoft's 2016 encryption key to spoof access to Exchange Online accounts.
It also criticized Microsoft's decision “not to correct, in a timely manner, its inaccurate public statements about this incident, including the company's statement that Microsoft believed it had identified the potential root cause of the intrusion when in fact it had not yet done so.”
“At the individual level, any of the failures… may be understandable,” the report said. “Taken together, they point to a failure in Microsoft's regulatory controls, governance, and company culture around security.”
The report recommends that Microsoft's CEO and board develop and implement a plan “to make fundamental security-focused reforms across the company and its full product portfolio, and then hold leaders at all levels of the company accountable for implementing them.” “.
CISA recommendations
The report also recommends that all cloud providers, not just Microsoft, stop charging their customers for security logs. Microsoft recently announced that it will provide some security logs as part of its standard cloud service package.
“Security-related logging should be a core component of cloud offerings and cloud providers should provide customers with essential tools that provide them with the information needed to detect, prevent or measure intrusion, recognizing that many customers will still need additional or third-party analysis,” he states. The report states that “the capabilities necessary to build a security program are fully mature.”
The report also recommends that the Cybersecurity and Infrastructure Security Agency lead a task force to define and adopt “minimum standards for virtual audit logging in cloud services.”
“This standard should ensure, at a minimum, that all access (including access by the cloud provider itself) to a customer’s business data in the cloud produces records available to the customer at no additional charge, with a default retention of a minimum period of six months by,” the report says. : “CSP”.
The CSRB report also outlines several cloud security best practices around authentication tokens, encryption keys, and other areas. It recommends that the Cybersecurity and Infrastructure Security Agency “verify annually with major communications service providers that provide services to the United States Government regarding which of these and other applicable security practices they are implementing.”
It says CISA must publish the results of its review, including indicating when a company refuses to provide requested information.
FedRAMP Updates
The report also recommends updating the General Service Administration's Federal Risk and Authorization Management Program (FedRAMP) used by agencies.
“Cloud services are a critical component of the cybersecurity ecosystem, especially when protecting the most sensitive government data,” the report notes. “However, the Board believes that current government cybersecurity compliance requirements do not consistently require sound practices around key management or token issuance.”
The report continues that FedRAMP “can play a key role in ensuring stronger cybersecurity practices, including cloud-based digital identity, across the cloud services ecosystem.”
The CSRB recommends that FedRAMP “establish a minimum threshold to periodically re-evaluate outdated FedRAMP authorization packages.” The idea is to review those cloud services that are “widely used across government,” while other cloud services could be considered “high-value assets” under federal cybersecurity law.
The Board also recommends that FedRAMP establish a process for conducting “special reviews” of approved cloud service offerings. The reviews would “call in security experts within the federal government to make recommendations to improve security for civil society organizations,” according to the board’s report.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
