The company has done this before, with a report in April this year on ransomware, wherein it tried to create the myth that it was helping to quell a problem that raises its head every day of the week.
But then one should not be surprised at the chutzpah that Microsoft shows, given that so-called security journalists refer to reports such as this as "the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape" Fool's gold, indeed.
Let us be honest about things: Microsoft benefits from an insecure landscape. It even benefits from ransomware attacks. But it doesn't like to be called out about it, and depends on friendly tech journalists to do that job. As is the case here.
The manner in which Microsoft — which has been issuing hundreds of fixes for its software over the last few months — tries to bat away any suggestion that it it to blame for the abysmal security in Windows and its other products is quite amusing.
For example, there was this in the latest 88-page effort, information taken from a report put out by CyberX, an IoT/OT cyber security company that was recently acquired by Microsoft.
Here we go: 71% of sites have unsupported Microsoft Windows systems, such as Windows 2000, Windows XP, and Windows 7, that no longer receive regular security patches from Microsoft. Even excluding Windows 7 systems which became unsupported in January 2020, the percentage of sites with unsupported Windows systems is still quite high at 62%.
In other words, the users, not our software, are to blame for security issues.
And then this: "64% of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise systems simply by sniffing the network traffic. 66% of sites aren’t automatically updating Windows systems with the latest anti-virus definitions."
Given that unattended updates regularly break Windows systems, which sysadmin in his/her right mind would turn the tap on and go off for a boozy weekend?
And then a third case: "54% of sites have devices that can be remotely accessed from internal networks by using standard management protocols such as RDP, SSH, and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets." RDP is a protocol used by Microsoft; it should be off by default.
Then to convince people that it is trying seriously to improve the security scenarios, these suggestions are offered:
- Adopt MFA
- Go passwordless
- Use good email hygiene
- Modernise VPN architectures
- Patch apps and systems
- Monitor and pay special attention to remote access infrastructure.
- Manage configuration changes
- Implement a secure software development lifecycle
- Take a 3-2-1 approach to backups
- Monitor cross-cloud security
- Limit access with least privilege
- Leverage machine learning to increase fidelity and reduce alert fatigue
- Closely monitor legacy, certified, and industrial control systems
- Slow attacks with network segmentation
- Manage the convergence of OT and IT
- Secure IoT and IIoT
- Know your perimeter
- Limit perimeter exposure
- Build a third-party risk program
- Invest in user training (and keep training)
- Adopt a Zero Trust mindset
Every one of these is a bog standard and is suggested by every vendor, no matter their size. So what is new here, in this "gold standard"?