Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 05 October 2020 11:58

Microsoft puts lipstick on a pig to avoid scrutiny over security

By
Microsoft puts lipstick on a pig to avoid scrutiny over security Image by Elisabeth Leunert from Pixabay

In what appears to be a bid to try and pretend that it is making no big contribution to the abysmal security environment in the tech sector, Microsoft has put out one of those reports, titled Microsoft Digital Defence Report, that aims to quell criticism of its role, at the same time trying to insinuate that security is in a bad state because of every single player.

The company has done this before, with a report in April this year on ransomware, wherein it tried to create the myth that it was helping to quell a problem that raises its head every day of the week.

But then one should not be surprised at the chutzpah that Microsoft shows, given that so-called security journalists refer to reports such as this as "the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape" Fool's gold, indeed.

Let us be honest about things: Microsoft benefits from an insecure landscape. It even benefits from ransomware attacks. But it doesn't like to be called out about it, and depends on friendly tech journalists to do that job. As is the case here.

Many companies provide annual overviews of the security situation and they are all marketing exercises. Nobody pretends otherwise.

The manner in which Microsoft — which has been issuing hundreds of fixes for its software over the last few months — tries to bat away any suggestion that it it to blame for the abysmal security in Windows and its other products is quite amusing.

For example, there was this in the latest 88-page effort, information taken from a report put out by CyberX, an IoT/OT cyber security company that was recently acquired by Microsoft.

Here we go: 71% of sites have unsupported Microsoft Windows systems, such as Windows 2000, Windows XP, and Windows 7, that no longer receive regular security patches from Microsoft. Even excluding Windows 7 systems which became unsupported in January 2020, the percentage of sites with unsupported Windows systems is still quite high at 62%.

In other words, the users, not our software, are to blame for security issues.

And then this: "64% of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise systems simply by sniffing the network traffic. 66% of sites aren’t automatically updating Windows systems with the latest anti-virus definitions."

Given that unattended updates regularly break Windows systems, which sysadmin in his/her right mind would turn the tap on and go off for a boozy weekend?

And then a third case: "54% of sites have devices that can be remotely accessed from internal networks by using standard management protocols such as RDP, SSH, and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets." RDP is a protocol used by Microsoft; it should be off by default.

Then to convince people that it is trying seriously to improve the security scenarios, these suggestions are offered:

  • Adopt MFA
  • Go passwordless
  • Use good email hygiene
  • Modernise VPN architectures
  • Patch apps and systems
  • Monitor and pay special attention to remote access infrastructure.
  • Manage configuration changes
  • Implement a secure software development lifecycle
  • Take a 3-2-1 approach to backups
  • Monitor cross-cloud security
  • Limit access with least privilege
  • Leverage machine learning to increase fidelity and reduce alert fatigue
  • Closely monitor legacy, certified, and industrial control systems
  • Slow attacks with network segmentation
  • Manage the convergence of OT and IT
  • Secure IoT and IIoT
  • Know your perimeter
  • Limit perimeter exposure
  • Build a third-party risk program
  • Invest in user training (and keep training)
  • Adopt a Zero Trust mindset

Every one of these is a bog standard and is suggested by every vendor, no matter their size. So what is new here, in this "gold standard"?


Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments