This post is also available in: עברית (Hebrew)
As can be seen reported across many news medias, Microsoft does not seem to be in a good spot at the moment, when it comes to security. From the leak of US government emails to Chinese threat actors to the leaked internal emails by its own top-level executives, experts are wondering why this tech giant, the second-largest corporation in the world, so often fails when it comes to information security.
When it comes to the leak to Chinese elements, Microsoft itself warned that China was likely to be stockpiling zero-day vulnerabilities just a year before Chinese hackers called “Storm-0558” hacked Microsoft with acquired digital encryption keys, taking advantage of “a validation error in Microsoft code.” The hackers then gained access to inboxes belonging to 25 organizations, including US government agencies, to steal the emails for intelligence gathering, according to Cybernews.
Senator Ron Wyden sent a letter to the Security and Infrastructure Security Agency (CISA) demanding Microsoft’s responsibility for negligent security practices, while the CISA itself demonstrated trust in the Microsoft toolkit when it released an open-source incident response tool to track malicious activity in the Microsoft Cloud.
Microsoft was later criticized for taking months to fix a serious issue with the Azure platform, leaving customers unprotected. Then in September, Microsoft leaked 38TB of private data, including personal computer backups with passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from hundreds of Microsoft employees.
All of these incidents beg the question- does the tech giant not learn from its mistakes? Well, it is important to note that we can’t precisely know from the outside how Microsoft conducts its security practices, since they do transparently disclose breaches and work on solutions.
Microsoft’s annual report reads: “We analyze 43 trillion security signals daily and use the insights to inform increased protections. This year, we blocked 34.7 billion identity threats and 37 billion email threats. Over the past four years, we’ve sent over 67,000 nation-state-related threat notifications to customers to help them protect themselves from digital threats.” The company further stated that it is committed to skill and recruit 250,000 people into the US cybersecurity workforce by 2025.
Furthermore, according to Cybernews, when considering the company’s immense size, its failure ratio is relatively low, despite each attack being significant due to the company’s influence.