OTX Partners

OTX Roundtable GRC News

October 2024

Microsoft Issues Update on Secure Future Initiative Progress

Microsoft products have been at the center of MSP offerings for decades. It seems as if Microsoft originated the concept of dynamic patching with their infamous “patch Tuesday” ritual. Although we are all grateful that these vulnerabilities are patched in a timely manner, it would be much better if the quality of the software were better going out the door. In fact CISA Director, Jen Easterly, commented recently at a conference that we should start referring to vulnerabilities as product defects to drive the point that this is a reflection of the quality of the software.

To that end Microsoft announced it Secure future Initiative in November 2023. Since then Microsoft has dedicated the equivalent of 34,000 full time engineers to the initiative. At the top of the list of accomplishments, an overall shift in corporate culture including aligning cybersecurity quality with employee performance reviews and senior leadership compensation.

Another major part of the initiative is a clamp down on app lifecycle management. As part of that they eliminated 730,000 unused apps. They also eliminated a whopping 5.75 million inactive tenants. All of this greatly reduces their overall attack surface.

The six pillars of the initiative: protect identities and secrets, protect tenants and isolate production systems, protect networks, protect engineering systems, monitor and detect threats, and accelerate response and remediation, align closely with most cyber security frameworks.

This is a welcome improvement from Microsoft and will hopefully make everyone’s job easier when it comes to cyber security. Perhaps other software vendors will follow suit? You can read the full report here.

NIST Offers New Guidance on Password Restrictions

In the vein of unintended consequences, the guidance being given for password requirements in recent years has led to bad behavior rather than improved security. When users are forced to include Upper- case, lower-case, numbers and symbols in their passwords, they are more likely to write those passwords down or choose easy to remember leetspeak strings. Even though “P@$$w0rd!” would meet the criteria of most authentication engines it is a very insecure password. Likewise, “ihatesupercomplexpasswords” would not not pass muster, even though it is a much stronger password simply due to its length.

In response, NIST has released the second public draft of SP 800-63B, the latest version of its Digital Identity Guidelines. The new guidelines make some much needed changes to the guidelines including abolishing the long standing practices of forcing passwords changes periodically and requiring passwords to include certain characters.

Instead NIST now tells Credential Service Providers (CSP) they “SHALL require passwords to be a minimum of eight characters in length and SHOULD be a minimum of 15 character in length”. It also gets rid of those inane “security” questions for password recovery. The entire document, in true NIST fashion, is lengthy and complex and offers further guidance on several other aspects of authentication.

Of course, if you are going to implement these guidelines, it is highly recommended that you employ additional factors in your authentication process. When the guidelines get ratified it will still take some time for institutions to adopt the changes so you won’t be forgetting your first pet’s name any time soon.

Proposed Senate Bill Would Require Large Healthcare and Insurance Providers Implement Much Stronger Cyber Security Measures

For nearly three decades HIPAA has been the governing standard for the guarding of Protected Health Information (PHI). Although it has gone through a couple of minor updates over the years, it is largely out of step with the requirements of todays landscape.

Two US lawmakers, Senator Roy Wyden (D-OR) and Mark Warner (D-VA) have proposed a bill that would provide $1.3B for the department of Health and Human Services (HHS) to create “serious accountability” for companies that fail to meet cyber security standards. This is a reaction to several major ransomware attacks against the healthcare industry, most notably the attack against United Healthcare subsidiary, Change Healthcare.

According to Senator Wyden, “mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.”

The Health Infrastructure Security and Accountability Act, aimed at larger institutions, would have HHS audit organizations and perform stress tests. Specifically, the bill would apply to institutions of “systematic importance” defined as “ a covered entity or business associate, that the failure of, or a disruption to, such entity or associate would have a debilitating impact on access to health care or the stability of the health care system of the United States (as determined by the Secretary).’’Annual audits would need to be signed off by top executives with the threat of jail time if claims are determined to be false. The bill also removes caps for fines HHS can issue to hold these mega-corporations accountable.

Although not specifically called out in the bill it is unlikely this will filter down to smaller institutions given the direct involvement of HHS and the lack of scalability.

Featured Recorded Event

Six Months to CMMC: How To Prepare with Cyber AB’s Matt Travis

Recordered September 25, 2024

Spoiler Alert: six months may be on the long side

Matt Travis is the director of the CyberAB, the board overseeing the CMMC certification program. He gives us an update on the requirements and the estimated roll out schedule

 Organizations struggle to implement and maintain a cyber security posture that is appropriate for today's threat landscape. They implement policies and procedures with the intent of protecting their data. Under the assumption that policy violations are typically the result of ignorance or malicious behavior, they strive to educate their workforce on the importance of adhering to the policy and the ramifications of a violation. However, most of these efforts fail to accomplish the goal of improved security. A recent study in the Harvard Business Review indicates that other factors come into play when users are faced with compliance tasks. In the study, which focused on remote workers during the pandemic, it was found that most policy infractions were the result of intentional yet non-malicious violations, largely driven by employee stress. According to the study, "when asked why they failed to follow security policies, our participants’ top three responses were, 'to better accomplish tasks for my job,' 'to get something I needed,' and 'to help others get their work done.'” This last motivator, the desire to help others, cuts to the core of the Managed Service Provider's role. After all, that's what they are here to do, help others. And hackers know that…

Read More…

Next OTX Roundtable Meeting

November 14, 2024

Virtual

OTX Partners LLC

OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here

 © 2024 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.