Microsoft is not having a very good time right now. Their not-so-recent breach (2024-01-19 report) turned out to be a mega-breach (2024-03-08 report), and now seems to have been even more serious (2024-03-11), without clear assurance that the intruders really have been evicted completely, uncertainty over what might have been exfiltrated, and uncertainty over what might have been tampered with.
This is no small company without the resources to do security properly. This is a wealthy behemoth which works closely with security organisations worldwide, but which seems to have failed to follow its own security principles.
The reputational damage will be considerable. We’ve all been fed the line that they do things properly in-house because they dare not risk a breach which might threaten their multi-billion cloud business. Seems that might have been wishful thinking.
The thing about security is that it only needs a few tiny cracks which can be joined up to result in a catastrophic failure – and this is what seems to have happened here.
Poor hygiene, some laziness, some failure to either fully monitor test environments as if they were live or to ensure that such environments are sufficiently separated that privilege escalation in the test environment cannot be used to leverage privileged access in other environments.
This doesn’t mean that all of their security is poor, but it does demonstrate that there is a lack of robust & comprehensive governance, monitoring, and policy enforcement.
And that adds up to a cultural issue within the organisation.
Security is not glamorous
An awful lot of security (say around 99.9999%) is NOT glamorous at all. It’s about processes and auditing, about backups and business continuity. It’s about balancing risks and designing workable but effective controls – then making sure that they are uniformly and rigorously implemented. It’s about making sure that things which should be done, are done – by including closed loops of checking and feedback. It’s about ensuring that the absence of certain events is noticed, as well as the presence of certain events.
Compare any Bond film to the BBC’s dramatisation of Tinker Tailor Soldier Spy (1979) and Smiley’s People (1982) (incidentally, both very much recommended viewing). Not so many gadgets and car chases in the latter, because they are far more realistic representations of the realities of espionage & counter-espionage than the chewing-gum-for-the-eyeballs entertainment of the Bond films.
Here’s the root of the problem: people get bored, so they take shortcuts and/or deviate from the policies. It’s a very real and very human problem, and failing to take this into account is a recipe for disaster.
Boredom Is Dangerous
Imagine being a security guard just inside the reception to a very sensitive building. You’re responsible for checking that the ID cards of the people entering match the person presenting it, before they use the card readers plus PIN entry devices to enter the airlocks into the building. How long can you do this task for before your mind starts wandering?
The honest answer is probably around 30 minutes at a time absolute maximum.
I’ve seen a building in which the security staff performing these roles are rotated to other duties every 20-30 minutes. And that’s the level of forethought that you need for tasks which are boring but which are vitally important.
Who will guard the cloud itself?
Returning to my original question: Quis custodiet ipsos nubem? Who will guard the cloud itself? Well, I don’t have an instant simple answer. I can just say with certainty that it will be a not-very-exciting mixture of checks and balances, and that it needs to be designed by someone who understands human psychology, physiology, and brain function. An effective solution, I suspect, will involve deliberately incoporating highly neurodiverse staff to take full advantage of their special superpowers. And it will definitely involve self-monitoring of effectiveness to feed back into the constantly evolving design. What it will not involve is anything glamorous.
But I need glamour!
If you need glamour, then don’t become a spy or a spy-catcher, because the reality will not match the likely expectation.
And similarly, if glamour is your thing, then either the world of security is not really for you, or you need a glamorous hobby. Those who know me well know how I handle this particular issue.
Gânduri Eclectice - Eclectic Thoughts 