{"id":2564,"date":"2023-09-11T05:01:39","date_gmt":"2023-09-11T12:01:39","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=2564"},"modified":"2023-09-11T05:01:40","modified_gmt":"2023-09-11T12:01:40","slug":"microsoft-accused-of-a-pattern-of-repeated-negligent-cybersecurity-practices","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/microsoft-accused-of-a-pattern-of-repeated-negligent-cybersecurity-practices\/","title":{"rendered":"Microsoft accused of a pattern of repeated negligent cybersecurity practices"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

The CEO of Tenable has called out Microsoft for its security practices following an attack on the tech giant\u2019s Azure platform, which was disclosed in early July. 
<\/p>\n\n\n\n\n\n\n\n

Chinese espionage hacking group \u201cStorm-0558\u201d breached<\/a> an undisclosed number of emails via Outlook Web Access in Exchange Online and Outlook.com. These emails were linked to 25 organizations, including government agencies in Western Europe and the US, as well as individual customer accounts. The breach began on May 15th and was first detected a month later when a customer reported it to Microsoft. 
<\/p>\n\n\n\n

In a LinkedIn post<\/a>, cybersecurity company Tenable CEO Amit Yoran has revealed that this isn\u2019t the first time Microsoft has fallen victim to such an attack and puts its customers at risk. And the details of his post are pretty damning. <\/p>\n\n\n\n

A history of negligence<\/h2>\n\n\n\n

According to Yoran, a member of Tenable\u2019s research team discovered a severe vulnerability in Microsoft\u2019s Azure platform back in March. This weakness had the potential to let a threat actor access all manner of an organization\u2019s sensitive data, including cross-tenant applications and authentication secrets. In fact, the Tenable team was able to use the exploit to find out a bank\u2019s authentication secrets. The company quickly alerted Microsoft to the issue, expecting it to react swiftly. Instead, it took 90 days to apply a partial fix to the problem, which was only applied to new applications on the service. Microsoft informed Tenable that the issue would be fully fixed in September, which Yoranhas describes as \u201cgrossly irresponsible, if not blatantly negligent.\u201d
<\/p>\n\n\n\n

The Verge reports<\/a> that Microsoft fixed the issue since Yoran\u2019s post was published. In an email to The Verge, Microsoft senior director Jeff Jones responded to some of the criticism, explaining that the company follows an extensive process when conducting investigations of impacted products: 
<\/p>\n\n\n\n

\u201cUltimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.\u201d
<\/p>\n\n\n\n

Even so, many are still frustrated with the tech giant. In his LinkedIn post, Yoran also supports his case by pointing to data from Google Project Zero, security analysts employed by Google whose purpose is finding zero-day vulnerabilities. According to this data, since 2014, Microsoft products have been responsible for 42.5% of all zero-days discovered.
<\/p>\n\n\n\n

Yoran isn\u2019t the only one frustrated by Microsoft\u2019s cybersecurity practices. In late July, Oregon Senator Ron Wyden sent a letter<\/a> to the Department of Justice, the Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission, urging them to hold Microsoft to account for \u201cnegligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.\u201d<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

While Microsoft has addressed some of the issues discussed in this article, the frustration of cybersecurity professionals is understandable. As one of the world\u2019s leading tech companies that provides IT infrastructure for countless organizations worldwide, the highest quality of security should be provided as standard.
<\/p>\n","protected":false},"excerpt":{"rendered":"

The CEO of Tenable has called out Microsoft for its security practices following an attack on the tech giant\u2019s Azure platform, which was disclosed in early July. <\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2564","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=2564"}],"version-history":[{"count":1,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2564\/revisions"}],"predecessor-version":[{"id":2565,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2564\/revisions\/2565"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=2564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=2564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=2564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}