Outlook troubleshooting: Outlook keeps prompting for password

Overview

Issue: when opening Outlook and afterwards on a regular intervals afterwards, Outlook keeps prompting for a password multiple times (x5 or more), even when the password is correct.

The error/connection message is sent to the desktop foreground on top of other applications.

Even when the password is ok, the message is thrown again multiple times, when the Outlook client is checking for mail, at certain intervals…

[Solution Spoiler = configure the registry to enable ExcludeExplicitO365Endpoint, but there might be other options for your case…]

Product version

In this specific situation, the products below were involved. The issue might also apply to other versions

• Office version= Microsoft 365
• Outlook version Microsoft® Outlook® for Microsoft 365 MSO (Version 2109 Build 16.0.14430.20224) 64-bit
• Exchange server version 15.1.2308.4008. (on premises)

Additional information

Type of mailbox

In this case, the issue was related to connecting to a functional/shared mailbox.
Connection to the personal mailbox was working fine, at first sight.

Standalone vs Domain

In this particular case, the PC was not connected to the domain of the Exchange server.

But also important connection on Outlook from domain joined PC is ok, no reconnection message.
[More on this at the end of the article, as the domain client had specific GPO policies configured, …]

Multiple mail accounts

Outlook connected to multiple mail accounts (so removing Outlook completely, was not really an option…)

No issue on phone

Connecting the same account on a smartphone, works fine.

Symptoms

Error message

No explicit error message but you get a window with

“Windows security

Microsoft Outlook

Connecting to <… mailbox …>

Remember my credentials”

Error screen

Troubleshooting

Account credentials

• Tried to change password (password reset)
• Tried to remove password in Microsoft credential manager
  • See Accessing Credential Manager: https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0

WARNING:

you might end up with a locked user account if you enter the wrong credentials by accident while outlook keeps popping up the password request. Better double check your password and better NOT enter it again, or change it in the password request. But you’ll get this request multiple times in a few seconds, that it can be quite annoying to get past it.

Mail account

• Tried to reinstall the mail account.
• Removed the mail account and reinstalled mail account.

Configuration panel – Mail profile

Create a new Outlook profile (do NOT remove the existing Outlook profile) and add ONLY the problematic account. Set it to ONLINE mode (disable caching mode)

You can manage this option via Control Panel > mail

Alternatively, when reinstalling the mail account in outlook, disable the option “Use cached Exchange Mode to download email to an Outlook data file”.

Check Outlook connection status

When Outlook is active, you’ll find an Outlook icon in the task bar…

To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.

Then click “Connection Status…”

Check if you see the personal mailbox and shared mailbox connection.

Test Email AutoConfiguration…

When Outlook is active, you’ll find an Outlook icon in the task bar…

To check the Outlook connection status you need to hold the CTRL button and then right click on the Outlook icon.

Then click “Test Email AutoConfiguration…”

In the menu enter the mail address of the target mailbox, in this case it’s a share mailbox with a specific mail address.

Very likely you’ll see a bunch of autodiscover failures like:

Alternative – Network analysis with Fiddler

You can collect a network log with Fiddler or other network sniffer

www.telerik.com

1. Install Fiddler.
2. Select decrypt https traffic

1. Close fiddler
2. Close all programs, messengers, browser etc.
3. Start Fiddler
4. Start Outlook and wait until problem comes up
5. When problem appears STOP fiddler and close Outlook
6. Check the log files and see if you can detect the issue.

Solution

Policy control via registry setting

Source: Outlook 2016 implementation of Autodiscover

This applies to 2016 2019 etc… as well.

The policy values that are defined the Autodiscover Process section can be either policy-based registry values or non–policy-based values.  When they are deployed through GPO, or manual configuration of the policies key, the settings take precedence over the non-policy key.
Non-Policy Key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
Policy Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\AutoDiscover
Each value is of type DWORD.

So to exclude Office365 checking point we add following key:

ExcludeExplicitO365Endpoint and set the value to 1.

This setting is registry for client only.
Outlook will skip checking Office365 Endpoint for Autodiscover.

If you have already configured XML autodiscover it should not affect the existing setting as the information are stored in this XML file locally anyway so Outlook will know how to connect.

Outlook as priority always prefer local XML configuration. Then in case it cannot obtain certain data goes to another check point. So apart from first two steps  Outlook 2016 implementation of Autodiscover (microsoft.com) there are checking points we can configure how Outlook should obtain certain information. We can disable them or force them.

You can give it a try if this won’t work as desired you can always revert the changes.

Always make a copy of your registry before you change anything in the registry.

There is no really any other way from the client perspective.

In our case we can see many redirections and autodiscover failures. Not sure why, looks like Outlook refers to some old data or old domain URLS or cannot obtain properly Autodiscover configuration file and it is trying different combinations to guess which link for Autodiscover is working.
Once it calls for HTTPS Autodiscover of the correct link it gets timeouts… which might also indicate firewall issue or something.

Then it tries unencrypted HTTP and it succeeds. Now it redirects to Autodiscover configuration link. But it takes a few attempts to get there.
That’s why you get multiple popups of the error message / or the password prompt.

Why the issue did not hit the domain joined mail clients?

The mail administrator had following options configured already:

Setting the options for

• DisableAutodiscoverV2Service = 1
• ExcludeExplicitO365Endpoint = 1
• excludehttpredirect = 1
• excludehttpsautodiscoverdomain = 1
• excludehttpsrootdomain = 1
• excludelastknowngoodurl = 1
• excludeScpLookup = 1
• excludesrvrecord = 0
• zeroconfigexchangeonce = 1

References

• Outlook 2016 implementation of Autodiscover (microsoft.com)
• Enable and collect Outlook logs to troubleshoot profile creation issues: https://docs.microsoft.com/en-us/outlook/troubleshoot/performance/enable-and-collect-logs-for-profile-creation-issues

‘t QVAX data retentie fabeltje: alle gegevens zijn gewist. Echt niet.

Als Belg kent u ongetwijfeld QVAX, het kaduke wachtlijst platform dat in het leven geroepen is om het dagelijks overschot aan anti-corona vaccinaties op te lossen…

Bij de lancering ging het al stevig de mist in doordat het slecht ontworpen vertragings-mechanisme de overbelasting alleen maar erger maakte.

Het was bovendien met een Adblocker / cookie-blocker ook nog makkelijk te omzeilen ook…

Er zijn nog 250.000 wachtenden voor U,… nee 300.000…. of 400.00.

Nu hebben ze midden in de 5e Corona pandemie golf voor het booster vaccin QVAX opnieuw geactiveerd.

Als je jezelf wil aanmelden krijg je meteen een melding, ik citeer

“Als u QVAX als hebt gebruikt tijden de eerste vaccinatiecampagne, moet u weten dat alle gegevens zijn gewist. Uw QVAX Account bestaat niet meer en u zult een nieuwe moeten aanmaken.

Wees heel voorzichtig het het invullen van de juiste informatie. Maak vooral geen tikfouten in het e-mailadres (pas op voor de automatische correctie op een smartphone) en onthoud uw wachtwoord goed.”

en ook

“Let op! Als u QVAX al hebt gebruikt tijdens de eerste vaccinatiecampagne en u wilt uw account opnieuw activeren, weet dan dat dit niet mogelijk is! Alle bestaande accounts zijn verwijderd en u moet dus een nieuwe account aanmaken”

https://www.qvax.be/login

Dus dan denk je… ik maak dus een nieuwe account aan.

Dan krijg je dus deze foutmelding

“Reeds bestaand account voor dit identificatienummer (INSZ)”

Dan probeer je in te loggen, … met een password manager, …

Blijkt de login niet te werken. Dan maar even zelf proberen… Zonder success.

Dus dan maar een reset.

Met het oude passwoord, van de password manager.

DAT heeft ie dus OOK nog onthouden.

Dus, als je TOCH nog QVAX wil gebruiken om sneller aan je booster te geraken, beste jongeling, … probeer eerst in te loggen via https://www.qvax.be/login.
Als dat niet werkt, doe een password reset via https://www.qvax.be/password.

Want je gegevens zitten nog in het systeem… en voor hoelang, dat zoek je zelf maar uit.
Zolang de pandemie duurt… als we nog een serie corona golven krijgen… + 5 dagen na het einde van de laatste golf.
“Als algemene regel geldt dat de verwerkingsverantwoordelijken de persoonsgegevens niet langer
bewaren dan redelijkerwijs noodzakelijk is voor de doeleinden waarvoor zij zullen worden
gebruikt en in overeenstemming met de wettelijke en bestuursrechtelijke voorschriften.
Wij bewaren uw gegevens tot maximum 5 dagen vanaf de dag na de bekendmaking van het
koninklijk besluit dat het einde van de epidemie ten gevolge van het COVID-19 coronavirus
aankondigt.”

Dat is wat hun Privacybeleid tenminste zegt.
Het is alvast korter bij de waarheid dat ze je gegevens niet wissen.

Note-to-self: KopieID (to blur your ID card fotocopy)

Source:

• Netherlands: https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/veilige-kopie-identiteitsbewijs
• Belgium: https://kopieid.be/nl/

As explained here (in Dutch) and here (Dutch), it’s a terrible ID (sorry, idea), to copy your identity card and hand over the unprotected copy to someone….

Therefore it’s highly interesting to protect the photocopy against abuse, in the ultimate case you need a photocopy of your identity card…

KopieID NL

In the Netherlands the government has provided an app for your mobile phone, to take a photo of your ID and then blur the redundant information and to add a remark / watermark to indicate the purpose limitation.

Check it out here:

They also provide an interesting video explanation:

KopieID BE

In Belgium, there is a website (without app) that does the same, see here:

References

Source articles:

• (Dutch) https://www.linkedin.com/pulse/denk-2-keer-na-voor-je-een-fotokopie-laat-maken-van-peter-geelen-/
• (Dutch) https://www.linkedin.com/pulse/wat-dan-het-probleem-met-een-kopie-van-je-eid-extract-peter-geelen-/

Reference material from the articles:

• Ministry of Privacy Magazine: https://ministryofprivacy.eu/wat-we-doen/magazine-ministry-privacy/
• (LinkedIN) Het gebruik van uw identiteitskaart als waarborg?
• (GBA BE) Aanbeveling uit eigen beweging over het nemen van een kopie van de identiteitskaart en over het gebruik en de elektronische lezing ervan (CO-AR-2010-008)
• Dossier eID : https://www.gegevensbeschermingsautoriteit.be/burger/thema-s/elektronische-identiteitskaart-eid
• Zoek Overige eID topics: https://www.gegevensbeschermingsautoriteit.be/burger/zoeken?q=eid
• [GBA BE] Welke wetgeving is van toepassing?: https://www.gegevensbeschermingsautoriteit.be/eid

Picture credits: Image by mohamed Hassan from Pixabay 

Image source: https://pixabay.com/illustrations/hack-fraud-card-code-computer-3671982/

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

• 2017 TSC mapping to ISO 27001
• 2017 TSC mapping to NIST CSF
• 2017 TSC mapping to COBIT5
• 2017 TSC mapping to NIST 800-53
• 2017 TSC Mapping to GDPR

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

“ SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.“

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

This award is for you, because YOU are my most valuable professional who made this possible.

I’m honored and humbled that I’m part of the Microsoft Most Valuable Professional (MVP) community award for another year.

As explained on the program page “MVPs, are technology experts who passionately share their knowledge with the community.” It’s an award for your Microsoft community work of the past year… you can find more details on the MVP website mentioned earlier.

But building community is not a one-person activity, not a job, …

It’s a passion, it’s fun, sharing knowledge and best practices with many people over the world, all eager to build community.

And last year (or longer) has been very challenging to keep the community running without face-2-face events, shifting to online only. It was hard work. And the MVP award renewal cycle has been very special this year, taking into account the Corona conditions.

But nevertheless, I can’t keep up this work without support of you, my dearest colleagues, partners, technology experts, community fellows, my audience, …
I won’t list any specific person, because I would not do honor to all the rest… too many to list.

Therefor a big shout out of gratitude for your support.

Thank YOU for supporting me, making this possible.

I dedicate this award to you, to your support. This is your award.

In the world of security, cyber- and cloud security, sharing knowledge is one of the most important principles to win the battle against cybercrime. Learn from the mistakes others have made.

I’m doing my best to keep up the work and to meet the bar of excellence, to be an community lead, to build community and to share knowledge.

This award and your appreciation gives me the extra motivation to keep going and do better next year!

Thank you!

CCSP and CCAK, not versus: build your cloud security expertise path based on your needs.

Last week (ISC)² published a blog post on the choice between CCSP and CCAK.

You can find it here: https://www.isc2.org/articles/CCSP-versus-csa-ccak.

“What is the right certification for you?”

The main title of the (ISC)² article on CCSP vs CCAK is “CCSP Certification vs. CCAK Certificate: What Are the Distinctions?”

That’s exactly what you get. A list of technical differentiators between CCSP and CCAK, but according to (ISC)².

But if you hope to get an actual answer to what the right certification is, for you… they forget to ask …you.

What do you think would be the conclusion, if you ask that question to either one of the contestants while you compare 2 certifications? Of course each party will simply draw the conclusion that their own certification is the best choice.

To answer the most important question, the dilemma CCSP or CCAK, is simple: do you need technical or audit skills for cloud security?

The answer

In essence, the answer is simple:

• if you need cloud audit skills, dive in to the Cloud Security Alliance (CSA) and ISACA Certificate CCAK.
• if you want to have architect level technical cloud expertise and knowledge, choose CCSP
• if you want cloud security knowledge, in basic or advanced hands-on, there are other choices to start with (more about it below)

So, if you ask the question “what is the right certification for you”, you immediately know that there is no right answer, but there are many options.
Options for a multi level expertise roadmap in cloud security, based on your current skills and your future goals.

If you like a tough challenge: why not jump into the CCAK or CCSP, CCSP or CCAK, whatever, right away.

But if you would like to boost your chance of success… take a deep breath and better plan smartly.

And don’t start with CCSP/CCAK, but prepare your track towards CCSP/CCAK first.

First some background to plan your roadmap

Setting expectations

Just to set expectations, this article only focuses on the personal education and certification options, offered by (ISC)², ISACA and CSA. Including other education provider would lead us too far.
There are way more other (cyber)security certifications available, but we focus on the cloud security track, which limits the options…

Feel free to comment with other options for cloud security training. I’ll update the article where relevant.

CSA CCSK

The Cloud Security Alliance launched the CCSK in 2011. And as they explained here, “the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. “

The CCSK is an easy entry, high level introduction to Cloud Security, and it doesn’t require you to have deep technical cloud security expertise.

But it still is a nice baseline for the cloud security essential knowledge.

(ISC)² – CCSP

In short: CCSP = CISSP [by (ISC)²]+ CCSK [by CSA]

The long version is explained in the (ISC)² article comparing CCSP and CCAK.

• CCSP = Certified Cloud Security Professional
• You need at least five years of cumulative, paid work experience
• CCSP is pretty much the same level of difficulty as CISSP, but has focus on cloud security.

The CCSP was launched in 2015, as a cooperation between (ISC)² and CSA. (see CSA press release here), a couple years after the CCSK launch in 2011.
The CCSP is the bigger brother of the CCSK, more advanced, and as CSA rightfully mentions in there CCSK-CCSP comparison blog, the CCSP is on the level of CISSP with a major cloud flavor.

That’s where the dummy math description comes from…

CCSP = CISSP + CCSK.

But CCSP certainly is not an entry level exam.

More information:

• https://cloudsecurityalliance.org/blog/2018/04/24/ccsk-vs-ccsp-unbiased-comparison/

ISACA & CSA – CCAK

CCAK = CISA [ISACA] + CCSK [CSA]

CCAK (Certificate of Cloud Auditing Knowledge) is cohosted by ISACA and CSA.
And then you immediately know the approach is different than the approach of (ISC)².

ISACA (Previously known as the Information Systems Audit and Control Association®) stems from audit.
CSA focuses on cloud security.

That’s exactly what CCAK is about : cloud security audit.

See here:

• https://cloudsecurityalliance.org/education/ccak/
• https://www.isaca.org/credentialing/certificate-of-cloud-auditing-knowledge

As ISACA mentions on their product page: “The Industry’s First Global Cloud Auditing Credential”.

CISSP

For completeness, I mentioned the CISSP ( Certified Information Systems Security Professional).
I don’t think it needs a lot of explanation, it’s pretty much the reference standard for IT Systems security. (ISC)² references it as “The World’s Premier Cybersecurity Certification”.

It’s a pretty heavy exam, and it does require at least 5 years professional security experience. This is not an entry level exam.

More info: https://www.isc2.org/Certifications/CISSP

SSCP (Systems Security Certified Practitioner)

Due to the experience requirements, CISSP might be a tough credential to start with, although you can pass the exam, and continue to build your experience to grab the CISSP title…

If you want the plan your credentials the smart way, or you’re fresh in cyber-, information or IT-security, you better start with SSCP.

That the little brother of CISSP, and it’s an excellent way to step up to CISSP. More info: https://www.isc2.org/Certifications/SSCP

Where to start?

Cybersecurity & Information security essentials

As explained earlier, for tech skills in cyber-, IT and information security: look into SSCP first.

(Then step up to CISSP.)

Cloud security essentials: CCSK

Now it’s obvious what your first step in cloud security education should be: CCSK.

The CCSK is the perfect introduction to cloud security essentials.

Although it’s very helpful to have some technical IT basic knowledge, the CCSK is very accessible for general audience.

To prepare for the CCSK, you can follow classes or self-study via a completely free preparation toolkit.

Source: CSA CCSK v4 exam (https://cloudsecurityalliance.org/artifacts/ccskv4-exam-prep-kit/)

You can buy a double-try access ticket for the CCSK online exam (60 questions, 90 minutes), so if you would fail the first attempt, study again and retry the exam.

Then plan your track: only technical (no interest for audit) or audit, or both

Only technical

If you focus on technical expertise in cloud security, CCSP is a reference standard (at least, on of them…) .

As mentioned: CCSP = CISSP + CCSK.

So the track is clear

• After passing the CCSK exam,
• Take the CISSP exam
• then take the CCSP

This is the easier route if you already have 5yr+ experience. It’s not the cheapest route, as you pass the CISSP first, but it’s worth the effort. (you only need to pay 1 yearly fee at (ISC)², so after 1 certification, … no extra cost in yearly membership fee)
For junior, less experienced, security engineers, start with SSCP before jumping into CISSP, and then CCSP.

Audit

When you target IT security audits, you need to take a different route depending your background.
Having the CCSP/CISSP background is extremely useful to boost your career in audit.

But for the CCAK, the core audit baseline is CISA.

Keep in mind, similar to CISSP and CCSP, CISA has the same requirements regards professional experience, 5 years.

But if you’re a ISACA CISA, you can add CCSK to the track and land on the CCAK.

Both?

Then it’s obvious, first tech, then audit, meaning a smart combination of

1. CCSK
2. (SSCP > ) CISSP
3. CCSP
4. CISA (or alternative)
5. CCAK

Alternative routes

ISO27001 Implementer & Auditor

And alternative route to the auditing experience is ISO27001 auditing, but you’ll need some implementation experience before you can audit.

CISM

Within the ISACA portfolio, the CISM (Certified Information Security Manager), covers the same areas as most ISO27001 (lead) implementer courses.

Which can be helpful to ramp up for the CISA audit part, to gain some hands-on in IT & Infosec governance.

Visualizing your cloud security education roadmap

Lots of blah for a simple choice?

Allow me to visualize the options…

The difference between “certification” and “certificate”, does it really matter?

In it’s blog post (ISC)² tries to put CCSP above CCAK by saying “CCSP is a certification; CCAK is a certificate.”

And they continue “A certification recognizes a candidate’s knowledge, skills, and abilities, typically framed by a job role, while a certificate’s scope is narrower and only documents training course completion. A certification often requires continuing professional education (CPE) to stay in front of trends, while a certificate’s body of knowledge does not evolve over time or require CPE credits to maintain.“

And their explanation is at least flawed and cutting corners to benefit CCSP.

There are many explanations and interpretations of “certification”, depending the context.
But in essence, “certification” is a process and a certificate is a document (the result).

When you certify for “CCSP” at (ISC)², you need to comply with the CCSP condition and then get a document, your CCSP certificate.
Idem for CCAK, you need to comply with their conditions.

Both the certification process for CCSP as the process for the CCAK are used by other similar education providers.

Eg, PECB, ISACA, EC-COUNCIL, … and others require to pay a yearly fee, keep CPE/CPD (continous professional education or development). Some yearly fees are cheaper as others.

Like CSA, Microsoft and others ask for a 1 time exam fee, and then update the exam on longer term, not yearly, and do not require a yearly maintenance fee.

It’s a choice of the certificate owner, how the evaluation and exams are done.

Some of them comply to the ISO17024, and education standard. There are huge benefits to comply (like increased credibility, compatibility with other certifications, …). But it’s not mandatory.

(ISC)² uses an exam, with experience requirement and continuous education once you pass the exam, but you do not need to pass the exam again, unless it’s upgraded to a new build or major version.

But CSA does exactly the same, for example when CCSK was upgraded from v3 to v4, you needed to pass the exam again.

Not on a yearly basis, but the program is updated, the exam is updated… on a regular basis, without yearly fee.

It’s rather a (small) financial effort, not of significance for most companies paying the bill. (Although as an individual, the cost of certification can become a serious burden…)

And it’s certainly not relevant when choosing between CCSP and CCAK. CCAK is cheaper, as referenced in the (ISC)² comparison chart.

References

(ISC)²: CCSP Certification vs. CCAK Certificate: What Are the Distinctions?

• https://www.isc2.org/articles/CCSP-versus-csa-ccak

Cloud Security Alliance (CSA)

• https://cloudsecurityalliance.org/

CSA Certificate of Cloud Security Knowledge (CCSK)

• https://cloudsecurityalliance.org/education/ccsk/

CSA & ISACA CCAK

• https://cloudsecurityalliance.org/education/ccak/

• https://www.isaca.org/credentialing/certificate-of-cloud-auditing-knowledge

CCAK learning material

• Learn on your own: https://cloudsecurityalliance.org/education/ccak/#prepare-for-exam
• or, option 2, check the training

CCSK vs CCSP

• https://cloudsecurityalliance.org/blog/2018/04/24/ccsk-vs-ccsp-unbiased-comparison/

Vocabulary (alphabetical)

CCAK: Certificate of Cloud Auditing Knowledge (https://cloudsecurityalliance.org/education/ccak/)

CCSK: Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/education/ccsk/)

CCSP: Certified Cloud Security Professional (https://www.isc2.org/Certifications/CCSP)

CSA: Cloud Security Alliance (https://cloudsecurityalliance.org/)

(ISC)²:  International Information System Security Certification Consortium (https://www.isc2.org/)

Is “not paying” THE solution against ransomware?

The discussion and opinions on paying ransom in case of cyber-ransomware is very alive and vivid.

Many people have strong opinions, but the actual victims of ransomware are seldom heard. They mostly keep silent.

This article is the English translation and adaptation of an article, originally published in Dutch, earlier.

(Source) Initial article in Dutch : https://identityunderground.wordpress.com/2021/07/30/de-oplossing-tegen-ransomware-volgens-brian/

In Trends magazine, Brian Schippers published an opinion article a few days ago with a very easy and simple solution against ransomware: don’t pay. (Source: Trends)

I must admit, it’s a great opinion article to get a nice discussion going with companies. At least it helps to raise awareness of ransomware and ransom payments. But unfortunately the article is not a Greek ancient-wise talk [σοφςς].

But he’s right about the reprehensible statements made by some of the ransomware victims. It is outrageous that a company dares to claim that ‘only’ 300K has been paid.

(translated quote) “We understand that we are suffering reputation damage, but we can’t be blamed,” the company manager told reporters. That statement in the press will haunt him for a while.

And it’s not the first time we’ve witnessed such statements. For another company from the Westhoek (Western Belgian Region, near the coast) , it was “less than 1 million”…

It’s very meaningful, how little business leaders worry about ransomware or how careless they can be to protect their business.

And Brian puts forward a very nice theory how to stop ransomware, … in the ideal world.

But unfortunately, the article does not show in any way that the opinion-maker, in real life, has ever been on the side of a defenseless victim who is completely under the control of some remote criminal.

Because the choice to (NOT) pay a ransom is only available if you have a well-functioning and thoroughly tested backup and restore system.

At that moment, when it happens, all preventive measures have clearly failed already. Way too late to have regrets…

Prevention only works BEFORE the criminal strikes. Or when he has left again, to avoid repetition.

People do not choose to pay ransomware. It’s the last resort.

They just have no choice. All other means are already exhausted or unavailable.

You don’t pay a ransom if your backup/restore system works properly.

Without a guaranteed recovery function, mathematics is very simple

If you

• DO NOT pay =  100% GUARANTEE that you LOSE your DATA and you’re almost certain that your company will also be dead very quickly, or at least suffer long-term or irreparable damage.
• PAY = there is SOME chance that you may see (something) of your data again. That’s always better than the previous option, no matter what it costs.

The third option in between is that the cost of the ransom is lower than the real cost of restoring your data. If you run into a cheap criminal, you can only try to talk him out of it and limit the damage. Pure math.

What if…?

It’s very easy to imagine: if a good-looking homejacker just rings the doorbell at your home. And your dearest opens the heavily armed front door.

A few seconds later, the robber asks you to clear your bank account completely with a gun to your dearest one’s head.

Are you going to pay or not?!

Do you have a choice?!

Replacing your dearest… is not an option, I would think.

With ransomware, the situation is exactly the same.

Well, Brian Schippers apparently doesn’t think so.

In his article Mr. Schippers is very convinced that you should certainly not pay a ransom. But the article does not offer any concrete, useful solution or practical suggestion as alternative.

He talks about a “security solution”… and reading between the lines you easily know where it should come from.

But there is no mention of decent and continuous training of people, thorough awareness training and thorough backup/restore or even better offline backup, even in the current age of cloud.

Because with “wise” software alone, it won’t work.

Even with the best technical security you have, people remain the weak point.

And the stronger the security, the more crime will target people directly.

And people make mistakes. People make software. Each software contains errors.

And mistakes will always be exploited.

And you only need just one employee who is fooled by a cleverly designed, but infected mail or a noble unknown on the phone.

It happens in no time, there are more than enough statistics in practice.

Because the hack or phishing is so well designed these days, that even cyber professionals can’t easily detect fake mails.

“The budget should not be a problem.”

Yes, yes, of course it shouldn’t, Brian! Nice slogan.

NOT.

Because the practice proves something completely different:

cyber protection < a very small percent of the IT budget < a small percent of the company budget.

Well, now what?!

It would be quite different if business leaders and managers were personally held liable for a pertinent lack of “state-of-the-art” (i.e. up-to-date) security that aligns both people, processes and technology very well.

Only THAT would solve the whole ransomware problem, very quickly. Deprive the criminal from his leverage.

Don’t look too far. Just look at how the insurance companies are doing in real life.

See how they implement car, fire, liability or other insurance. If it is shown that you are negligent, knowingly refuse to implement sufficient security … then the insurance will not pay or will claim back the refund.

Easy and simple, isn’t it?

Not so in cyber insurance, that’s the wild west. For a couple a thousand Euros in insurance, you get a bag of money of a couple millions to pay the criminal.

You bet on hackers to give up.

And if you bet hackers will give up soon, start by giving a “tournée générale” (buying a beer to everyone).

Because cybercrime and ransomware is big business. They make a lot of money with crime, so they won’t give up. Not now, not ever.

[BTW, it’s not because known ransomware groups suddenly disappear that they’re gone too. We don’t know the facts about that yet…]

But criminals don’t respect any law or rule. And they certainly don’t have ethical principles. It’s just a business that makes a lot of money.

So they are always have a head start and they are very motivated. And they will twist your arm even harder… or worse.

Finally

We must keep repeating that state-of-the-art security is all about security solutions at different layers and levels, which look beyond technology.

When you keep claiming you should not pay for ransomware, you’re running after the facts. In practice, it doesn’t solve anything… People in distress and panic will ignore law and ethical guidelines.

Also in physical life, many authorities officially declare that they do not give in to ransom demands. Is paying a ransom prohibited by law? But in many cases, money is paid clandestinely. Reality check.

So?

Make sure that the liability for implementing poor security measures hurts the right person, in the right place. Not the employees, but their boss.

And consequently:

So make sure that cybersecurity is sponsored at the top management level.

Dé oplossing tegen ransomware volgens Brian

In Trends magazine, heeft Brian Schippers een paar dagen geleden een opinie artikel gepubliceerd met een poepsimpele oplossing tegen ransomware: niet betalen. (Bron: Trends)

Toegegeven, het is een geweldig opinie-artikel om een lekkere discussie met bedrijven op gang te trekken. Het helpt tenminste om de bewustwording van ransomware en losgeld aan te wakkeren. Maar het artikel is jammer genoeg geen Griekse oude-wijzen praat [σοφός].

En hij heeft wel gelijk over de laakbare uitlatingen van sommige slachtoffers. Het is schandalig dat een bedrijf durft beweren dat er ‘maar’ 300K betaald is.

Herinnert U het nog: “We begrijpen dat we imagoschade lijden, maar ons valt niks te verwijten.”, zei de bedrijfsverantwoordelijke in de pers. Die uitspraak in de pers zal ‘m nog wel een tijdje achtervolgen.

En het is niet de eerste keer dat we dergelijke uitspraken mogen noteren. Voor een ander bedrijf uit de Westhoek, was het “minder dan 1 miljoen”… 

Het zegt heel veel, hoe weinig zorgen bedrijfsleiders zich maken over ransomware of hoe nonchalant ze kunnen zijn om hun bedrijf te beschermen.

En Brian heeft een heel leuke theorie om ransomware te stoppen in de ideale wereld. 

Maar de tekst toont jammer genoeg op geen enkele manier dat de opiniemaker ooit met praktijkkennis aan de zijde heeft gestaan van ‘n weerloos slachtoffer dat volledig onder controle is van een of andere crimineel op afstand.

Want de keuze om losgeld (NIET) te betalen, heb je ENKEL EN ALLEEN als je een goedwerkend en grondig getest backup en restore systeem hebt.

Op zo’n moment hebben alle preventieve maatregelen duidelijk al gefaald. Dus dat zijn vijgen na Pasen.

Preventie werkt alleen VOOR de crimineel toeslaat. Of als ie weer vertrokken is, om herhaling te voorkomen.

Mensen kiezen niet om ransomware te betalen. Het is het laatste redmiddel.

Ze kunnen gewoon niet anders. Alle andere middelen zijn dan al uitgeput.

Je betaalt geen losgeld als je backup/restore systeem goed werkt.

Zonder gegarandeerde herstelfunctie is de wiskunde heel simpel

• NIET betalen = 100% GARANTIE dat je je DATA KWIJT bent en zo goed als zeker dat je bedrijf ook heel snel kapot is, toch tenminste langdurige of onherstelbare schade lijdt.
• BETALEN = enige kans dat je mogelijk nog (iets) van je data terug ziet. Da’s altijd beter dan vorige optie, wat het ook kost.

De derde optie hiertussen is dat de kost van het losgeld lager is als de reële kost om je data terug te zetten. Als je een goedkope crimineel tegenkomt, kan je maar proberen om ‘m om te praten en de schade te beperken. Pure wiskunde.

Wat als…?

Het is héél gemakkelijk voor te stellen: als een goedogende homejacker gewoon aanbelt bij je thuis. En je allerliefste doet de zwaar bewapende voordeur open. 

Een paar seconden later vraagt de overvaller jou om je rekening volledig leeg te maken met een pistool tegen het hoofd van je allerliefste.

Ga je betalen of niet?!

Heb je keuze dan?!

Jouw allerliefste vervangen… is geen optie, zou ik denken.

Met ransomware is de situatie net hetzelfde.

Nou, Brian Schippers vindt dus blijkbaar van niet.

Mr. Schippers roept in z’n opinie artikel hoog van de toren dat je zeker geen losgeld mag betalen. Maar enige concrete, bruikbare oplossing of praktische suggestie biedt het artikel anders niet echt.

Hij spreekt volop over “security oplossing”…het schemert anders wel duidelijk door waar die vandaan moet komen.

Maar er wordt echter geen woord gerept over goede en continue opleiding van mensen, doorgedreven awareness training en doorgedreven backup/restore of beter nog offline backup, zelfs in het huidige cloudtijdperk.

Want met “wijze” software alleen, zal het niet lukken.

Zelfs met de beste technische beveiliging die je hebt, mensen blijven het zwakke punt.

En hoe sterker de beveiliging, hoe meer de criminaliteit zich op de persoon zelf richt. 

En mensen maken fouten. Mensen maken software. Elke software bevat fouten.

En er zullen altijd fouten uitgebuit worden.

En je moet maar 1 medewerker hebben die om de tuin geleid wordt door een slim ontworpen, maar besmette mail of een nobele onbekende aan de telefoon. 

Het is zo gebeurd, meer als genoeg cijfers in de praktijk.

Want de hack of phishing is tegenwoordig zo goed ontworpen dat zelfs cyberprofessionals vals en echt moeilijk kunnen uit elkaar houden.

“Het budget mag daarbij geen probleem zijn.” 

Ja ja, tuurlijk mag dat niet, Brian! Mooie slogan.

NOT.

Want de praktijk zegt helemaal iets anders: cyberbescherming < een heel klein percent van ‘t IT budget < een klein percent van het bedrijfsbudget.

Nou, wat dan wel?

Het zou helemaal wat anders zijn als bedrijfsleiders en managers persoonlijk aansprakelijk zouden zijn voor een pertinent gebrek aan “state-of-the-art” (dus up-to-date) beveiliging die zowel personen, processen als technologie goed op mekaar afstemt.

DAT zou pas het hele ransomware probleem oplossen, heel snel.

Heel ver moet je niet kijken. Kijk maar hoe de verzekeringen het aanpakken in het fysieke leven.

Kijk wat toegepast wordt in auto-, brand-, aansprakelijkheids- of andere verzekering. Als aangetoond wordt dat je nalatig bent, willens en wetens weigert om voldoende beveiliging te spenderen … dan vordert de verzekering het terug.

Simpel toch?

Niet in cyberverzekering, dat is het wilde westen. Voor een koppel duizend Euro aan verzekering, zit je op een zak geld van een koppel miljoen Euro.

Wedden dat hackers het opgeven?

En als je erop wedt dat hackers het snel zullen opgeven, begin dan alvast maar met een tournée générale te geven.

Want cybercriminaliteit en ransomware is big business. Ze kunnen met misdaad veel geld verdienen, dus die geven niet op. Nu niet, nooit niet.

[BTW, het is niet omdat gekende ransomware groepen plots van de aardbol verdwijnen dat ze ook weg zijn. Daar weten we het fijne nog niet van…]

Maar criminelen houden zich aan geen enkele wet of regel. En ethische principes hebben ze al helemaal niet. Het is gewoon een business, die veel opbrengt.

Dus ze zijn altijd in het voordeel en erg gemotiveerd. En ze zullen je arm nog harder omwringen… of erger.

Tot slot

We moeten blijven herhalen dat goede beveiliging draait om beveilingsoplossingen op verschillende lagen en niveaus, die verder kijken als alleen maar technologie.

Je kan nog lang roeptoeteren dat je geen ransomware mag betalen. Dan loop je achter de feiten aan. Dat lost niets op in praktijk.

Ook in het fysieke leven, roepen heel wat staten officieel dat ze niet toegeven aan losgeldeisen. Is daar losgeld betalen bij wet verboden? Maar er wordt op veel plaatsen clandestien toch geld over tafel geschoven. Realiteit.

Dus?

Zorg dat de aansprakelijkheid voor gebrekkige veiligheid pijn doet, bij de juiste persoon, op de juiste plaats. Niet bij de werknemers, maar bij hun baas.

En bijgevolg,

Zorg dus dat cybersecurity gesponsord wordt op topmanagement niveau.

2021 Updated cybersecurity threat and data breach reports

Just a quick note, but always interesting to use as reference in security discussions with management teams or in security workshops: cybersecurity threat and data breach reports.

I’ve collected them on this blog page: https://identityunderground.wordpress.com/interesting-links/useful-cybersecurity-data-protection-breach-reports/

When new versions are released, I’ll keep the page updated.

Feel free to notify me if you noticed other interesting threat and data breach reports, or updates to the reports posted earlier.

Note-to-Self: workaround for bcc (blind copy) of meeting requests in Outlook

---

This article has also been posted on Microsoft Wiki, feel free to add suggestions and extra information.

Outlook Quick Tip: workaround for bcc (blind copy) of meeting requests

Issue

For meeting requests in Microsoft Outlook, the program does not have a bcc (aka Blind copy) option to add participants to a meeting, without publishing all personal data (mail addresses) to the other participants. 

Microsoft is aware of the issue, but hasn’t fixed the option yet.

Still you can request to have this option or request this function in Outlook, via Windows Feedback hub (hit the W10 Windows button, and type feedback) of via Microsoft Tech Community or Microsoft Q&A.

Visibility of participants to other participants

When you add participants to the “Required” or “Optional” section, they can see each others mail addresses. For smaller groups of people, that probably know each other, it’s not a big thing.

But for public events, this might be an issue. And certainly for large groups of participants, this is an overload of information.

And additionally, it might be considered as an inconvenience (or even a data breach) to publish data of other participants in a large group.

Limiting visibility to other participants

For matters of data protection it would be very handy to send the invite to the participants without exposing too much data.

Work around

As the bcc: option is missing, you can add people to the “Resources” option.

Steps

Create a new meeting request.

In the meeting options select, the “Required” or “Optional” button.

Then in the resources option, add the contacts or mail addresses of the participants.

Then add the required information to the invite, including online meeting options (Teams, …) and send the mail.

Alternative option : using iCAL file option via mail

Another option is

1.  to create an meeting in your agenda,
2. add the required meeting details (including teams invite)
3. Save the meeting as iCAL file
4. Create a mail,
   1. add the iCAL file
   2. add the the participants in bbc

References

More information can be found in these articles:

Resource option

Reddit

•  https://www.reddit.com/r/Office365/comments/khfi0a/meeting_invites_in_outlook_dont_have_a_bcc_field/

iCAL Option

Slipstick

• https://www.slipstick.com/outlook/calendar/to-cc-or-bcc-a-meeting-request/

RocketIT

• https://rocketit.com/sending-emails-to-large-groups

---