Last summer, Microsoft was the victim of a cybersecurity attack against its Exchange online platform. The attack had widespread consequences and impact on millions of users.

As it turns out, Microsoft apparently was not doing everything that it should have done to protect itself and its users. In a scathing 34-page report released by the U.S. Department of Homeland Security (DHS), the Cyber Safety Review Board (CSRB) has determined that Microsoft's security culture was “inadequate” following its investigation into the Summer 2023 Microsoft Exchange Online intrusion. The incident, perpetrated by a China-based threat actor known as Storm-0558, compromised the email accounts of several high-profile U.S. government officials and organizations.

The CSRB is an advisory body established by DHS Security, pursuant to President Joe Biden's Executive Order 14028 on “Improving the Nation's Cybersecurity,” signed on May 12, 2021. Much like the National Transportation Safety Board (NTSB) examines the root causes of a transportation accident to help provide recommendations to prevent future incidents, the CSRB does a similar task with cybersecurity. The CSRB's inaugural report, published on July 11, 2022, detailed its findings on the Log4j and Log4shell vulnerabilities.

Key Findings of the CSRB report include the following:

• The CSRB concluded that Microsoft's security culture was inadequate, citing a series of avoidable errors, failure to detect the compromise of its cryptographic keys and lack of timely correction of inaccurate public statements.
• The board recommended that Microsoft's CEO and the tech giant’s board of directors develop and publicly share a plan to make fundamental, security-focused reforms across the company and its products.
• The board also advised Microsoft to deprioritize feature developments until substantial security improvements have been made and to ensure security risks are fully assessed and addressed before deploying new features.

The CSRB's report highlighted a “cascade of Microsoft's avoidable errors that allowed this intrusion to succeed,” including the company's failure to detect the compromise of its cryptographic keys, which the CSRB likened to “crown jewels.” The report also noted that Microsoft relied on a customer to identify anomalies rather than detecting the breach independently.

“Microsoft's ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency,” the Board stated in its findings.

To address the identified shortcomings, the CSRB recommended that Microsoft's CEO and board of directors “directly focus on the company's security culture” and “develop, and share publicly, a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”

The board also advised Microsoft leadership to “consider directing internal Microsoft teams to deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made.” It emphasized that “security risks should be fully and appropriately assessed and addressed before new features are deployed.”

Beyond Microsoft, the CSRB called on all cloud service providers (CSPs) to “be better stewards of the digital ecosystem” and “take accountability for the security outcomes of their customers.”

The board recommended that CSPs implement modern control mechanisms and baseline practices to reduce the risk of system-level compromises and adopt minimum standards for default audit logging in cloud services. The report also urged relevant standards bodies to refine and update digital identity standards to address risks commonly exploited in the modern threat landscape. It called for greater transparency from CSPs in disclosing incidents and vulnerabilities, even in the absence of regulatory obligations.

The new CSRB report is critical for a number of reasons, according to cybersecurity industry experts. John Gallagher, vice president of Viakoo Labs at Viakoo saidthat the Microsoft Exchange incident in 2023 was one of the most significant cyber-attacks in recent times.

“If you are going to review any incident in detail it should be this one because of the widespread implications to organizations of all sizes,” Gallagher told SDxCentral. “The finding that it was a preventable attack is crucial in establishing better defenses going forward. ”

That said, Gallagher noted that what is missing in the CSRB report is an analysis of the remediation efforts, and how long it took organizations to address this attack.  He emphasized that fast notification as highlighted in this report needs to be matched with faster remediation.

Claude Mandy, chief evangelist, data security at Symmetry Systems noted that Microsoft is not the first nor the only organization with an unknown number of keys at risk within their environment that could be used to gain access to an IT environment and its data. Nor will it be the last organization that is unable to determine how access was gained leveraging those keys. Mandy suggests that organizations need to actively assess the state of access to their data and monitor usage of these keys where it matters most - the data they hold as custodians.

“The report from the CSRB is a damning report on the state of the internal Microsoft security capabilities, but also a huge wakeup call that must be heeded by other organizations,” told SDxCentral.