微软:先助推网络威胁,再贩卖解决方案
最近微软承诺,未来五年将投入200亿美元提供更先进的网络安全工具,比起2015年以来每年花10亿美元增幅显著。
微软一直努力成为网络安全全球领导者,这是走出的最新一步。然而,这项努力尽管看起来很高尚,实际情况却并非如此。微软技术是网络攻击日益严重的重要因素。
业界认为,正因为微软没能补上已知漏洞,才导致最近SolarWinds遭到严重的黑客攻击。与此同时,微软网络安全部门收入达到100亿美元,同比增长40%。这一对比让人相当不适。微软可不是网络安全领域的救星,会不会自己放火烧屋,让其他公司承担灭火的费用?
微软能跻身全球最大企业自然有其原因。科技行业很多最聪明的人才都被其收入麾下。但要说微软在安全方面的挣扎,并不是什么热门话题。
2020年,近6000万用户受到Office 365发送的恶意消息骚扰。邮件是网络威胁的首要切入点,不仅微软客户,每个人都面临风险。利用可信实体发送信件,是勒索软件、网络钓鱼和商业邮件泄露攻击屡屡得手的重要原因。数百万封邮件通过Outlook.com等知名域名发送,所以很多能轻松通过安全审核。最近勒索软件组织利用被攻陷的Exchange服务器实施网络钓鱼攻击,导致推特(Twitter)网络安全陷入危机,勒索软件就曾存放在OneDrive。一些恶意软件被清理之前已存放几个月。
不幸的是,漏洞和平台滥用只是开始。微软还做了很多极其糟糕的架构决策。活动目录(Active Directory)、Office宏、PowerShell和其他工具设计帮助一代代恶意软件危害整个网络环境,且很难察觉。这也是勒索软件攻击从单台机器扩散至整个组织的主要原因之一。
如今,诸多错误在云端重演。只要看看Office 365极其不安全的默认设置就知道。
微软自我辩护时可能会说,正竭尽全力跟上不断演变且日益复杂的形势。而且公平地说,微软不希望变成安全风险主要原因。微软旗下Sentinel之类安全产品都非常强大。
但公司政治往往很复杂。如果使命是“帮助全球每家公司实现更多目标”,有时发布有风险的效率功能(比如在Excel里加入JavaScript)就能让微软毫无恶意的安全人员无计可施。如果微软动作慢一点提供更安全的代码,停用旧功能(如苹果公司),或迅速帮助庞大的客户群达到良好的安全标准(如谷歌),其实可以为安全社区做出显著贡献。然而实际情况并非如此。
微软没有投资数百万美元堵住漏洞和可能遭利用的配置,而是从中获利。因此,微软一面提供漏洞还存储恶意软件,另一方面收费“保护”用户免受漏洞和威胁影响。再加上微软提供全球最广泛的事件响应,简直就是纵火犯、消防部门和建筑检查员三合一。
好消息?现在很多企业不再依赖微软,更注重保护用户和环境。大多数安全负责人不愿把所有鸡蛋放在微软的篮子里,但IT专业人士即便面对大供应商,都应该提出期望和要求,要求对方尽可能降低安全风险。(财富中文网)
本文作者瑞恩·卡伦贝尔在信息安全从业超过20年,目前在Proofpoint负责网络安全战略。他是业界权威的领导者,也经常对违规行为和最佳实践发表评论。卡伦贝尔除了是全球首席信息安全官们值得信任的顾问,也是美国国家网络安全联盟(National Cyber Security Alliance board)委员会和网络安全技术咨询委员会(Cybersecurity Technical Advisory Board)成员。
译者:梁宇
审校:夏林
最近微软承诺,未来五年将投入200亿美元提供更先进的网络安全工具,比起2015年以来每年花10亿美元增幅显著。
微软一直努力成为网络安全全球领导者,这是走出的最新一步。然而,这项努力尽管看起来很高尚,实际情况却并非如此。微软技术是网络攻击日益严重的重要因素。
业界认为,正因为微软没能补上已知漏洞,才导致最近SolarWinds遭到严重的黑客攻击。与此同时,微软网络安全部门收入达到100亿美元,同比增长40%。这一对比让人相当不适。微软可不是网络安全领域的救星,会不会自己放火烧屋,让其他公司承担灭火的费用?
微软能跻身全球最大企业自然有其原因。科技行业很多最聪明的人才都被其收入麾下。但要说微软在安全方面的挣扎,并不是什么热门话题。
2020年,近6000万用户受到Office 365发送的恶意消息骚扰。邮件是网络威胁的首要切入点,不仅微软客户,每个人都面临风险。利用可信实体发送信件,是勒索软件、网络钓鱼和商业邮件泄露攻击屡屡得手的重要原因。数百万封邮件通过Outlook.com等知名域名发送,所以很多能轻松通过安全审核。最近勒索软件组织利用被攻陷的Exchange服务器实施网络钓鱼攻击,导致推特(Twitter)网络安全陷入危机,勒索软件就曾存放在OneDrive。一些恶意软件被清理之前已存放几个月。
不幸的是,漏洞和平台滥用只是开始。微软还做了很多极其糟糕的架构决策。活动目录(Active Directory)、Office宏、PowerShell和其他工具设计帮助一代代恶意软件危害整个网络环境,且很难察觉。这也是勒索软件攻击从单台机器扩散至整个组织的主要原因之一。
如今,诸多错误在云端重演。只要看看Office 365极其不安全的默认设置就知道。
微软自我辩护时可能会说,正竭尽全力跟上不断演变且日益复杂的形势。而且公平地说,微软不希望变成安全风险主要原因。微软旗下Sentinel之类安全产品都非常强大。
但公司政治往往很复杂。如果使命是“帮助全球每家公司实现更多目标”,有时发布有风险的效率功能(比如在Excel里加入JavaScript)就能让微软毫无恶意的安全人员无计可施。如果微软动作慢一点提供更安全的代码,停用旧功能(如苹果公司),或迅速帮助庞大的客户群达到良好的安全标准(如谷歌),其实可以为安全社区做出显著贡献。然而实际情况并非如此。
微软没有投资数百万美元堵住漏洞和可能遭利用的配置,而是从中获利。因此,微软一面提供漏洞还存储恶意软件,另一方面收费“保护”用户免受漏洞和威胁影响。再加上微软提供全球最广泛的事件响应,简直就是纵火犯、消防部门和建筑检查员三合一。
好消息?现在很多企业不再依赖微软,更注重保护用户和环境。大多数安全负责人不愿把所有鸡蛋放在微软的篮子里,但IT专业人士即便面对大供应商,都应该提出期望和要求,要求对方尽可能降低安全风险。(财富中文网)
本文作者瑞恩·卡伦贝尔在信息安全从业超过20年,目前在Proofpoint负责网络安全战略。他是业界权威的领导者,也经常对违规行为和最佳实践发表评论。卡伦贝尔除了是全球首席信息安全官们值得信任的顾问,也是美国国家网络安全联盟(National Cyber Security Alliance board)委员会和网络安全技术咨询委员会(Cybersecurity Technical Advisory Board)成员。
译者:梁宇
审校:夏林
Microsoft recently committed $20 billion over the next five years to deliver more advanced cybersecurity tools—a marked increase on the $1 billion per year it’s spent since 2015.
This is yet another step in Microsoft’s quest to position itself as the global leader in cybersecurity. But while this may appear a noble endeavor, all is not quite as it seems. Microsoft technology is a significant contributing factor in increasingly devastating cyberattacks.
The company’s failure to shore up known vulnerabilities is believed to have exacerbated the recent SolarWinds hack. Meanwhile, its cybersecurity arm has seen 40% growth year on year, with revenues reaching $10 billion. This makes for a rather uncomfortable dichotomy. Far from a cybersecurity savior, is Microsoft effectively setting the house on fire and leaving organizations with the bill for putting it out?
There’s a reason why Microsoft is one of the largest companies in the world. Many of the brightest minds in tech have passed through its doors. But it’s no hot take to say it struggles with security.
Malicious messages sent from Office 365 targeted almost 60 million users in 2020. With email being the No. 1 point of entry for cyber threats, this puts everyone at risk, not just Microsoft customers. Delivery from a trusted entity is critical to successful ransomware, phishing, and business email compromise attacks. With millions of messages sent from gold-plated domains like Outlook.com, many are sure to get through. Cybersecurity Twitter was recently aflame when ransomware groups sent out phishing attacks from compromised Exchange servers, pointing to malware hosted on OneDrive. Some of that malware stayed there for months before being taken down.
Unfortunately, vulnerabilities and platform abuse are just the beginning. Microsoft has also made many catastrophic architectural decisions. The design of Active Directory, Office macros, PowerShell, and other tools has enabled successive generations of threat actors to compromise entire environments undetected. This is one of the primary reasons why ransomware attacks spread from single machines to entire organizations unchecked.
Now, many of these mistakes are being repeated in the cloud. We only need look at the horribly insecure default configuration of Office 365 for evidence of that.
In its defense, Microsoft would likely say it is doing all it can to keep up with the fast pace of a constantly evolving and increasingly sophisticated threat landscape. And, in fairness, it was not the company’s intention to become a leading contributor to security risk. Many of Microsoft’s security products, like Sentinel, are very good.
But corporate politics are complex. When your mission is to “empower every organization on the planet to achieve more,” sometimes shipping a risky productivity feature (like adding JavaScript to Excel) will ride roughshod over Microsoft’s army of well-intentioned security professionals. If the company was moving slower to ship more secure code, discontinuing old features (like Apple), or trying to get its massive customer base to a great security baseline faster (like Google), it could do amazing things for the security community. But it’s not.
Rather than investing millions into preventing vulnerabilities and exploitable configurations, Microsoft is instead profiting from their existence. So with one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to “protect” users from those same vulnerabilities and threats. Add in the world’s most extensive incident response practice, and Microsoft is the arsonist, the fire department, and the building inspector all rolled into one.
The good news? Many organizations are now looking beyond Microsoft to protect users and environments. Most security leaders are reluctant to put all their eggs in a Microsoft basket, but all IT professionals should both expect and demand that all their vendors, even the big ones, mitigate more security risk than they create.
With over 20 years of experience in the information security industry, Ryan Kalember currently leads cybersecurity strategy for Proofpoint and is a sought-out expert for leadership and commentary on breaches and best practices. In addition to serving as a trusted adviser to CISOs worldwide, Mr. Kalember is a member of the National Cyber Security Alliance board and the Cybersecurity Technical Advisory Board.
