Microsoft’s Windows, Office 365 advice for secure elections

This is Susan Bradley for CSOonline.

Today we’re going to talk about elections. No don’t worry I’m not going to talk about politics. I’m going to talk about election security and specifically some actions that Microsoft is taking to make sure all elections across the world are more secure.

First off they’re offering free Windows 7 patches to any certified voting systems through the year 2020 both in the United States and in other countries as defined by the EU Democracy Index. But the risk to elections don’t stop there. Just because the ballot box may be secure doesn’t mean that the email that the candidates and their staffers are using is secure. Recently Microsoft indicated that attackers from Iran attempted to break into accounts of users that were related to the American Republican Party. While Microsoft didn’t state which campaign was attacked in their information, Reuters later on went to say that the Trump re-election campaign was targeted by Iran linked hackers. The attacks indicate that the attackers use time and resources to target the attacks. They investigated personal information, targeted secondary recent accounts and gathered phone numbers to better target the electors.
Microsoft urged the election officials to take specific action to protect their accounts and in doing so we too can learn some lessons about how to protect our systems.

Microsoft recommended that you review your account settings to see for unusual activity. For example here in the Microsoft account I can see that I recently logged in. And it’s where my address is located so I can review that. Everything that I expected to see here is proper and I don’t have anyone attacking from another location. Remember for Office 365 accounts you can review log files and you can enable a conditional access to limited logging ability from unusual locations. Next you want to make sure you enable two step verification or two factor authentication. And you can also enable identity verification apps such as the Microsoft authenticator app. You can also turn on yubkey, a hardware token key. That allows a hook to Windows hello to provide additional protection as well.

If you works for someone in the political space you’ll want to check out Microsoft account guard. It’s a new security service offered at no additional cost to these customers. It provides notification to the organization and impacted individual if either a hotmail outlook account or an Office 365 account associated with an organization is threatened or compromised by a known nation state actor. Microsoft also provides guidance on how to setup Office 365 securely for political campaigns not prop nonprofits and other organizations.

Specifically for not for profits Microsoft provides discounted licensing that one can take advantage of through organizations said just text soup dawg.

I personally think that information goes a long way to helping you be secure and there’s organizations such as the EAI ISAC services provided by the Center for Internet security. That allows officials in the United States and associations involved in governments and other organizations to sign up and get more information.

But what about for you and I? The common person who isn’t involved in an election or government. What do we have as resources? Don’t worry there’s information out there for us too. For example the Department of Homeland Security provides a cyber infrastructure security site that you can sign up for notifications. But what if you’re not in the United States of America? Look around for resources in your neck of the woods. For example if you relocate in Australia you can sign up for the Australian Cyber Security Centre and their notifications.
If you need actionable guidance on hardening hardening Windows operating systems the Centers for Internet Security provides checklists and benchmarks settings for workstations servers and cloud implementations. If you work for an industry that’s seen as critical infrastructure you can sign up for Infraguard a private public partnership with the FBI to share information.
So what takeaways can we take from learning about Election Systems and keeping them safe? Ensure you have a patched operating system. Microsoft has recently announced a change to make it easier for small and medium businesses to purchase extended support from Windows 7. Look for more information starting on December 1st 2019 on how to get extended support contract for Windows 7. You want to make sure you add two factor authentication to email accounts. You want to highlight and take special precautions to those users that are targeted. You want to ensure that you and your users are educated on threats and risks. Sign up for information from organizations that share information targeted to your size and your type of firm. Last but not least you want to review guidance on how to keep our systems more secure. For example Windows has provided a security baseline for Windows 10 1903 and server 1903. They’ll be upgrading this shortly in November to support Windows 1909 that’ll be coming out at that time. I’ll be discussing these settings in further detail in upcoming CSO Online tips. So even if you aren’t into politics are running a campaign it’s wise to review what Microsoft recommends to keep our election secure and see if you two can follow their guidance. Until next time. Don’t forget to sign up for tech talk on the IDG new YouTube channel for the tech news of the day. Until next time. This is Susan Bradley for CSO Online.

READ MORE HERE