Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 05 October 2020 11:58

Microsoft puts lipstick on a pig to avoid scrutiny over security

Microsoft puts lipstick on a pig to avoid scrutiny over security Image by Elisabeth Leunert from Pixabay

In what appears to be a bid to try and pretend that it is making no big contribution to the abysmal security environment in the tech sector, Microsoft has put out one of those reports, titled Microsoft Digital Defence Report, that aims to quell criticism of its role, at the same time trying to insinuate that security is in a bad state because of every single player.

The company has done this before, with a report in April this year on ransomware, wherein it tried to create the myth that it was helping to quell a problem that raises its head every day of the week.

But then one should not be surprised at the chutzpah that Microsoft shows, given that so-called security journalists refer to reports such as this as "the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape" Fool's gold, indeed.

Let us be honest about things: Microsoft benefits from an insecure landscape. It even benefits from ransomware attacks. But it doesn't like to be called out about it, and depends on friendly tech journalists to do that job. As is the case here.

Many companies provide annual overviews of the security situation and they are all marketing exercises. Nobody pretends otherwise.

The manner in which Microsoft — which has been issuing hundreds of fixes for its software over the last few months — tries to bat away any suggestion that it it to blame for the abysmal security in Windows and its other products is quite amusing.

For example, there was this in the latest 88-page effort, information taken from a report put out by CyberX, an IoT/OT cyber security company that was recently acquired by Microsoft.

Here we go: 71% of sites have unsupported Microsoft Windows systems, such as Windows 2000, Windows XP, and Windows 7, that no longer receive regular security patches from Microsoft. Even excluding Windows 7 systems which became unsupported in January 2020, the percentage of sites with unsupported Windows systems is still quite high at 62%.

In other words, the users, not our software, are to blame for security issues.

And then this: "64% of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise systems simply by sniffing the network traffic. 66% of sites aren’t automatically updating Windows systems with the latest anti-virus definitions."

Given that unattended updates regularly break Windows systems, which sysadmin in his/her right mind would turn the tap on and go off for a boozy weekend?

And then a third case: "54% of sites have devices that can be remotely accessed from internal networks by using standard management protocols such as RDP, SSH, and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets." RDP is a protocol used by Microsoft; it should be off by default.

Then to convince people that it is trying seriously to improve the security scenarios, these suggestions are offered:

  • Adopt MFA
  • Go passwordless
  • Use good email hygiene
  • Modernise VPN architectures
  • Patch apps and systems
  • Monitor and pay special attention to remote access infrastructure.
  • Manage configuration changes
  • Implement a secure software development lifecycle
  • Take a 3-2-1 approach to backups
  • Monitor cross-cloud security
  • Limit access with least privilege
  • Leverage machine learning to increase fidelity and reduce alert fatigue
  • Closely monitor legacy, certified, and industrial control systems
  • Slow attacks with network segmentation
  • Manage the convergence of OT and IT
  • Secure IoT and IIoT
  • Know your perimeter
  • Limit perimeter exposure
  • Build a third-party risk program
  • Invest in user training (and keep training)
  • Adopt a Zero Trust mindset

Every one of these is a bog standard and is suggested by every vendor, no matter their size. So what is new here, in this "gold standard"?

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News