CSRB castigates Microsoft, urges federal cloud security updates

The latest CSRB report heavily criticizes the cloud security practices of one of the federal government's biggest technology suppliers.

The Cyber Safety Review Board is lambasting the cloud security practices of one of the government’s biggest technology vendors.

The CSRB, in its report released Tuesday, details the review of the summer 2023 Microsoft Exchange Online intrusion. The report includes also several recommendations for how agencies could improve cloud security across government and beyond.

The board found a “cascade of Microsoft’s avoidable errors” contributed to an incident where hackers pilfered unclassified emails from 22 organizations and more than 500 victims, including Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and House Rep. Don Bacon (R-Neb.)

“The board finds that this intrusion was preventable and should never have occurred,” the report states. “The board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

In a statement, a Microsoft spokesperson pointed to the company’s recently announced “Secure Future Initiative.”

“While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks,” the spokesperson said. “Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations.”

‘Failure of Microsoft’s organizational control and governance’

The CSRB report criticizes Microsoft for an array of security issues that the report says contributed to the Exchange Online hacks.

It found Microsoft lacked the identity security controls that were standard for other cloud service providers. Furthermore, the review found Microsoft’s cryptographic key rotation practices were outdated, allowing the hackers to leverage a 2016 key to forge access to the Exchange Online accounts.

The board said Microsoft “had not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape.”

And the CSRB said the company still does not know how the hackers obtained a 2016 Microsoft cryptographic key to forge access to the Exchange Online accounts.

It also criticized Microsoft’s “decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not.”

“Individually, any one of the failings … might be understandable,” the report states. “Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.”

The report recommends Microsoft’s chief executive officer and its Board of Directors develop and implement a plan to “make fundamental, security-focused reforms across the company and its full suite of products, and then hold leaders at all levels of the company accountable for its implementation.”

CISA recommendations

The report also recommends all cloud service providers, not just Microsoft, should stop charging their customers for security logs. Microsoft recently announced it will make some security logs available as part of its standard cloud service package.

“Security-related logging should be a core element of cloud offerings and CSPs should provide customers the foundational tools that provide them with the information necessary to detect, prevent or quantify an intrusion, recognizing that many customers will still require additional or third-party analytic capabilities to build a fully mature security program,” the report states.

The report further recommends that the Cybersecurity and Infrastructure Security Agency lead a task force to define and adopt a “minimum standard for default audit logging in cloud services.”

“This standard should, at a minimum, ensure that all access (including access by the CSP itself) to customer business data in the cloud produces logs that are available to the customer without additional charges, with a minimum default retention of six months by the CSP,” the report states.

The CSRB report also lays out several cloud security best practices around authentication tokens, cryptographic keys, and other areas. It recommends that the Cybersecurity and Infrastructure Security Agency “validate annually with major CSPs that provide services to the U.S. government which of these and other applicable security practices they are implementing.”

It says CISA should publish the results of its review, including noting whenever a company refuses to provide the requested information.

FedRAMP updates

The report also recommends updates to the General Service’s Administration’s Federal Risk and  Authorization Management Program (FedRAMP) used by agencies.

“Cloud services are a critical component of the cybersecurity ecosystem, especially when they protect the most sensitive government data,” the report states. “However, the Board finds that existing compliance requirements for government cybersecurity do not consistently require sound practices around key management or token issuance.”

FedRAMP “can play a key role in ensuring stronger cybersecurity practices, including in cloud-based digital identity, across the cloud service ecosystem,” the report continues.

The CSRB recommends FedRAMP “establish a minimum threshold for periodically re-evaluating legacy FedRAMP authorization packages.” The idea would be to review those cloud services that are “widely used across the government,” while others may be considered “high value assets” under federal cybersecurity law.

The board also recommends FedRAMP set up a process for conducting “special reviews” of authorized cloud service offerings. The reviews would “convene security experts within the federal government to make recommendations for security improvements for the CSO,” according to the board’s report.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    HHS, cybersecurity, Administration of Children and families,The Department of Health and Human Services building

    A look into whether one HHS component is properly securing its cloud information systems

    Read more
    cybersecurity maturity model certification

    The next security update: What you need to know about the newest version of NIST 800-171

    Read more