Tag Archive for: board

Review board to issue report detailing Microsoft’s lapses in China hack: report

/in


The US Cyber Safety Review Board is expected to issue a report detailing lapses by Microsoft that led to a targeted Chinese hack of top US government officialsemails last year, the Washington Post reported on Tuesday.
The intrusion, which ransacked the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals around the world, was “preventable” and “should never have occurred”, the Washington Post said, citing the report.”While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” Microsoft said.

Elevate Your Tech Prowess with High-Value Skill Courses

Offering College Course Website
Indian School of Business ISB Professional Certificate in Product Management Visit
Indian School of Business ISB Product Management Visit
IIM Kozhikode IIMK Advanced Data Science For Managers Visit

“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations,” it added.

The Cyber Safety Review Board did not immediately respond to a Reuters request for comment.

Last year, the tech giant said the Chinese hack of senior officials at the US State and Commerce departments stemmed from the compromise of a Microsoft engineer’s corporate account penetrated by a hacking group it dubbed Storm-0558.

Discover the stories of your interest

The hack is alleged to have stolen hundreds of thousands of emails from top American officials including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns and Assistant Secretary of State for East Asia Daniel Kritenbrink.

The Cyber Safety Review Board’s report blames shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency over what Microsoft knew about the origins of the breach, according to the Washington Post.

Source…

How to ask the board and C-suite for security funding

/in


Recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance instructs board members to drive “a culture of corporate cyber responsibility” by empowering CISOs with the influence and resources they need to drive decisions where cybersecurity is effectively prioritized and not subordinated to cost, performance, and speed to market.

Although this sounds like a CISO’s dream come true, it doesn’t mean that boards will suddenly open the purse strings. Responsible to their shareholders, boards and executives will always be hyper-focused on the bottom line. Only now, with liability bearing down on them, they require accurate, risk-based funding requests qualifying the need, total cost of ownership, effectiveness, breach exposure and likelihood, and cost to the business should a breach occur.

Traditionally, CISOs haven’t communicated this information well enough to their boards, Chris Hetner, special advisor for Cyber Risk at the NACD, tells CSO. Hetner, who is also council member on the NASDAQ Center for Board Excellence, points to the July-updated SEC rules for cyber risk management implicating senior leaders in breaches. Board liability for risk is sinking in, he says, and as a result, board directors are rallying around cyber threats.

This trend definitely impacts how CISOs articulate the need for funding their security programs, Hetner continues. “As an investor, I need to know how you’re treating this risk compared to any other risk and why it matters. Juxtapose that with a CISO bringing in highly technical metrics and reports not understood by the board and you see the disconnect. You want to prepare a tailored, business-focused cyber risk report, ideally on a quarterly basis, that converts technical metrics into understandable, business-aligned metrics. Then, you’ll get your funding.”

Don’t go it alone when asking for cybersecurity funding

When it comes to funding requests, CISOs shouldn’t operate in a vacuum. Hetner suggests seeking allies on the board and executive team, including the CFO, and CEO. These people can help CISOs understand the business risk to frame their funding requests around…

Source…

US cyber safety board to investigate cloud security and Exchange Online breach

/in


The Cyber Safety Review Board has launched an investigation into the cybersecurity threats facing cloud service providers.

The probe by the CSRB was first reported by Bloomberg late Thursday and confirmed today. As part of its investigation, the CSRB plans to look into a high-profile breach that hit Microsoft Corp.’s Exchange Online email platform earlier this year. During the cyberattack, a hacking group believed to be affiliated with China accessed the inboxes of several U.S. government officials.

“We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” said CSRB Chair and DHS Under Secretary for Policy Rob Silvers. 

The CSRB, which launched last year, was formed by the U.S. Department of Homeland Security in accordance with an executive order that President Joe Biden signed in 2021. Its mission is to investigate large-scale cybersecurity incidents. The CSRB is composed of 15 government officials and private sector experts.

The first focus of the board’s new investigation is the recent cyberattack against Microsoft’s Exchange Online platform, which came to light last month. During the breach, a hacking group suspected to be based in China gained access to the email accounts of Commerce Secretary Gina Raimondo and multiple State Department officials.

The hackers breached the accounts using forged authentication tokens. Those are pieces of data that a computer uses to verify the login request it sends to an application, in this case Exchange Online, is legitimate. The hackers forged the authentication tokens by exploiting an encryption key stolen from Microsoft and a since-patched flaw in one of the software giant’s cybersecurity systems.

The CSRB’s probe comes about two weeks after Senator Ron Wyden asked federal agencies to review the Exchange Online breach. In a letter, the Senator requested that the CSRB “investigate whether lax security practices by Microsoft enabled” the hack.

As part of its investigation, the board also plans to review “issues relating to cloud-based identity and…

Source…

US cyber board to investigate Microsoft hack of government emails

/in


A U.S. review board tasked with investigating major cybersecurity incidents said it will begin looking at the recent intrusion of U.S. government email systems provided by Microsoft, whose handling of the incident drew ire and scrutiny from federal lawmakers and the wider security community.

The Cyber Security Review Board, or CSRB, said Friday that its latest investigation will include a “broader review of issues relating to cloud-based identity and authentication infrastructure.”

The board said it began considering an investigation after learning of the Microsoft cloud breach, which saw China state-backed hackers break into government email accounts, including the inbox of U.S. Commerce Secretary Gina Raimondo, several officials at the U.S. State Department, and other organizations not yet publicly named.

According to the slow-drip of information about the incident, Microsoft said China-backed hackers stole a sensitive signing key that allowed unauthorized access to enterprise and government email inboxes hosted by the technology giant. That stolen key, coupled with a flaw that Microsoft has since patched, allowed the forging of authentication tokens that the hackers used to access the target’s email accounts as if they were the rightful owners.

The intrusions began in mid-May but were not detected until a month later, when State Department officials detected the breach and notified Microsoft. It was only because the State Department used a higher-paid tier account that allowed access to logs that Microsoft keeps, which first revealed the hacks. Other departments with a lower paid tier were not given access to logs that may have spotted the intrusions sooner.

Following criticism, Microsoft capitulated soon after, saying it would make logs available for customers at no additional cost from September.

Ron Wyden, a Democratic lawmaker on the Senate Intelligence Committee, blasted Microsoft in a scathing letter to government agencies requesting an investigation into whether “lax cybersecurity practices” enabled Chinese hackers to spy on high-ranking federal government officials.

Wyden also called on the CSRB to investigate the incident.

In carrying out a post-mortem of the hack, Homeland…

Source…