Looking Back
It’s always satisfying to reach the end of a calendar year and look back to review the major highlights of the year just passed. I think this is generally true both in personal and professional life. This is especially true for highly dynamic fields like information and computer security. There is always something happening. And sometimes a story or event that you think will be incredibly newsworthy for a long time fades away because of even more newsworthy things that happen after it.
So it was with 2024, which began with the announcement of a very large data breach affecting billions of records and is ending with surprising advisories from the US government telling people to do something they should’ve already being doing. Let’s take a look at some of the major highlights.
Changing Recommendations and Requirements
As I have had occasion to mention in a few different columns, Microsoft has made several changes to the security defaults it applies to tenants during this year. These changes were badly needed because Microsoft recognizes the risk that comes from weak authentication. Now that MFA is required for administrative access to Microsoft 365, and, shall we say, strongly encouraged for everyone else, we’ll have to hope that the number of tenants and user accounts exploited begins to decrease. Other trusted sources have changed their recommendations, too: the US National Institute of Standards and Technology (NIST) wants you to improve your password policies, and the US Cybersecurity and Infrastructure Security Agency (CISA) thinks we should all be using end-to-end encryption and avoiding SMS-based MFA. And if you were thinking about buying yourself some new wifi gear for your home network… you should probably avoid TP-Link, since it looks like various agencies of the US government are working to ban them from the US market.
Nation-State Attacks on the Rise
As documented in last year’s Microsoft Digital Defense Report, ’24 was a really busy year for attacks mounted by nation-state actors. Even though you, as an individual administrator, may not have been affected by these attacks, they’re still noteworthy because of the number of well-protected entities that were breached. American, Ukrainian, British, Israeli, and Emirati government agencies, among others, were targeted. Attribution of attacks is always a challenging problem, but Microsoft and its government customers felt confident enough to publicly attribute these attacks to an assortment of Russia, China, North Korea, and Iran. Although the tactics and techniques used by the attackers vary, several of the attack patterns were made possible by weaknesses in authentication. This helps explain Microsoft’s renewed emphasis on enforcement of the basics, including MFA and password policies.
CrowdStrike and Friends
Of course, no recap of the past year’s top stories would be complete without mentioning the disastrous worldwide outage caused by poor quality assurance practices at CrowdStrike. Microsoft was unfairly blamed for this outage; it is true that Windows’ kernel design meant that security vendors needed kernel access to build their solutions in a way that delivered the benefits customers wanted. But Microsoft in large measure was prevented from limiting that access by threats of legal action from the European Union. There is a concerted effort underway at Microsoft to harden the Windows kernel against these kinds of problems, but also to find a way to give vendors the access they need without leaving the kernel open to the kind of damage inflicted by CrowdStrike. As for the perpetrators, they are currently being sued by, among others, Delta Airlines, but their stock price has risen significantly since its level before the outage.
Of course, CrowdStrike was not the only outage we suffered through last year. Microsoft had a couple of outages in various regions, including two that were both more widespread and longer-lasting than average. Other Internet service providers had various types of outages as well. This is just a fact of life in the cloud services world: sometimes the services you need to use will break at inconvenient times.
Looking Ahead to 2025
As baseball great Yogi Berra observed, “it’s tough to make predictions, especially about the future.” Based on what we saw happening in 2024, though, I think it is fair to make some general predictions about what we will see in the Microsoft security world.
One prediction is that we will continue to see very sophisticated and precisely targeted attacks against high-value systems, like those mounted by Salt Typhoon against US telecommunications systems. The high profile and high importance of Microsoft 365 makes it likely that some of these attacks will be targeted against that service, whether they are pointed directly at Microsoft itself or against its clients. Not all of these attacks will be immediately discovered. Of the ones that are discovered, not all of them will be publicly disclosed.
I think it is also safe to predict that Microsoft will continue to push for improved security for its customers. Some of these security improvements will come by reducing the attack surface of the service, including by discontinuing or decommissioning services that many people don’t use. Microsoft will probably continue to emphasize our responsibility as administrators and continue to increase the number of places where MFA, especially phishing-resistant MFA, must be used.
Of course, there will probably be at least one completely unpredictable event, whether it’s a large outage, an alien invasion, or the New Orleans Saints making it to the NFL playoffs—stay tuned to Practical365.com to see what happens next.
