This is Susan Bradley for CSO online. Today, I’m going to talk about four pillars of security. Recently, Microsoft held their I.T. professional conference called Microsoft Ignite. The conference sessions are now all online and can be watched at your leisure. Prior to the conference, I was able to sit down with Microsoft CEO. Brett talked about some key elements that all of us should be doing in our firms in order to keep them more secure. Brett’s been working for Microsoft for over 30 years.
During that time, he’s moved from senior engineer to now corporate vice president and chief information security officer. Pillar number one, multifactor authentication. Based on the 2020 Verizon data breach investigations report, stolen credentials are behind 80 percent of cyber attacks, 80 percent. That’s a key reason that Microsoft is pushing so much on password list techniques because the attackers are going after our credentials. Phishing, 20 percent use of stolen credit credentials are hacking, 20 percent. Top top threats are to those credentials.
So what are you doing about them? Microsoft has three main password list options for Windows. Deployment’s first is Windows Hello for business, which includes biometric authentication and for cloud only deployments. You’ll need Windows 10, version 1511 or later. A Microsoft user account is your active directory as your multi factor authentication and modern management for hybrid deployments. You’ll also need a version Windows 10, version 1511 or later. Next, one thing that I personally use is the Microsoft authenticator app, note that you can also use the Google authenticator app for General Two-Factor verification, but you’ll need the Microsoft app at this time for the passwordless implementation.
Currently, it’s a preview, but I’d advise you to check it out. And finally, and I’ve seen this with a lot of financial firms, they prefer the FIDO2.0 security keys. You’ll need something like Youbikey, which supports resident key client PIN secrets and multiple accounts per repeat. The next key element that Brett pointed out was patching his recommendation is to not delay and to patch immediately. Now, I disagree, mainly because I work out here with users and machines and like many enterprises, I don’t patch immediately, but I patch after I test.
So I verify that there’s no issues in my environment. And then about a week later, I do roll out the updates. Until such time that enterprises have absolute trust in patches, I don’t think we can immediately patch, I still think we need to test before we roll out updates. The next key element, he said, was device control, ensuring that all devices connecting to your network, including company own personal and devices like printers and phone systems, should be identified, patched and secure, especially now with work from home that we’re doing with with coronavirus.
We have so many devices in so many things connecting to our network. Do you know what those are? Do you have tools in order to patch those? So you know what is attaching to your network? And I’ll go even further and suggest one more element that you probably should look at is ensuring that your consultants are also using secure and UP-TO-DATE tools when they remote and provide assistance with your firm. I’ve seen too many ransomware attacks these days that have started with the attacker gaining access to the business through their consultants.
Often the managed service provider provides the entry point. So you want to make sure that you check with your consultants and make sure that they’re providing secure tools as well. Next, Brett talked about benchmarks as a key element to secure your business. Ensuring that you’re following best practices means that you want to compare yourself to other benchmarks. So Microsoft 365 natively includes several tools, such as the Microsoft secure score. But you can also use tools such as the CIA’s controls.
For example, there’s a guide to implementing CIS controls – the Center for Internet Security with Microsoft 365 premium plan. And I recommend that you go out to these sites on a regular basis. Now, this is my demo, so obviously I don’t have that great of a secure score. But you want to come out here and make sure it’s not ever going down, as you can see here, but actually going up. So check your secure score. Microsoft also makes changes out here every now and then and changes benchmarks and changes items.
So you want to, like every month come out here and review. You can also download benchmarks from the Center for Internet Security. They include one for Microsoft Office and Office 365. You want to look at the Microsoft 365 Security Center and keep in mind some of these names, some of these sites are changing their name. For example, for example, the Microsoft Threat Protection is now being called the Microsoft 365 defender. And Azor Advanced Threat Protection is now Microsoft defender for identity.
So some of these sites will change and some of your landing pages will change. So beware of that.
I’m a fan of the Microsoft Defender Security Center, and this you can get with an E5 subscription if you don’t already have an E5 subscription, I highly recommend that you get a trial, test it out, see what you’re missing, see if there’s there’s information in here that you really need in order to keep your firm secure.
Microsoft will be consolidating many of these places and also putting more information to make everybody more secure. So take a look at all the different security centers across all the different products and make sure you’re familiar with where they’re located and what information they bring. Technology is changing rapidly. These four pillars multifactor authentication, patch management, management of endpoints and devices and comparing yourself to benchmarks are all pillars of good business security. These days. Attackers are getting smarter and they’re finding new ways to come after us.
Use these to make yourself more secure. As always, stay safe. Stay secure. Make sure you check out the videos on the IDG Tech Talk YouTube channel until next time. This is Susan Bradley for CSOonline.