by Contributed | Jan 21, 2022 | Technology
This article is contributed. See the original author and article here.
Hello friends,
Happy new year everyone! With the new year come new possibilities. Today I’m excited to announce two Azure AD External Identities updates including the public preview of multi-factor authentication (MFA) with time-based one-time passcode (time-based OTP) for B2C users and an important change to our support for data residency in Azure AD B2C directories.
Strengthen MFA for B2C users with time-based OTP
Rising fraud and security attacks make it critical to protect consumer accounts with more secure forms of MFA. By incorporating time-based OTP through an authenticator app in your B2C user flows, you can provide a higher level of security compared to existing email and phone factors, without incurring additional telephony charges. Learn more from my colleague, Alex Weinert, about why we believe app-based MFA is more secure than email and phone MFA alone.
Time-based OTP for your user accounts can be configured with any authentication application. We recommend setting up your time-based OTP with Microsoft Authenticator, which uses encrypted bi-directional communication for authentication status and supports additional context and control that make it easier for your users to help protect themselves.
In this B2C user flow, a Contoso customer is prompted to complete authentication using time-based OTP with the Microsoft Authenticator application.
Read the documentation to learn how to set up time-based OTP for Azure AD B2C.
Data residency pricing update
We understand how important it is for our customers to have control over their data and to comply with local data residency requirements. As a first step in supporting this business-critical need, earlier this year we announced the general availability of Azure AD B2C data residency in Australia. To support increased demand for this support, beginning mid-2022, current and new customers who have data residency configured for Australia or other specific countries/regions will incur an add-on charge of $0.02 per monthly active user (MAU).
Based on your feedback, we are continuing to grow our data residency offerings so that you can target selection of the country/region needed to meet data storage requirements.
We love hearing from you, so please share your feedback on these updates through the Azure forum or by tagging @AzureAD on Twitter.
Robin Goldstein
Twitter: @RobinGo_MS
Learn more about Microsoft identity:
by Scott Muniz | Jan 21, 2022 | Security, Technology
This article is contributed. See the original author and article here.
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
| CVE Number |
CVE Title |
Required Action Due Date |
| CVE-2006-1547 |
Apache Struts 1 ActionForm Denial of Service Vulnerability |
07/21/2022 |
| CVE-2012-0391 |
Apache Struts 2 Improper Input Validation Vulnerability |
07/21/2022 |
| CVE-2018-8453 |
Microsoft Windows Win32k Privilege Escalation Vulnerability |
07/21/2022 |
| CVE-2021-35247 |
SolarWinds Serv-U Improper Input Validation Vulnerability |
02/04/2022 |
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.
by Scott Muniz | Jan 20, 2022 | Security, Technology
This article is contributed. See the original author and article here.
F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.
CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.
by Contributed | Jan 20, 2022 | Technology
This article is contributed. See the original author and article here.
We have published a few Microsoft Defender for Office 365 resources over the past few months, and these are now included in the Ninja Training. If you want to refresh your knowledge and get updated, here is what has been added since the last release in September 2021.
Legend:
Module (ordered by Competency Level)
|
What’s new
|
Email Security – Fundamentals:
Module 3. Configuration (Part 1)
|
|
Email Security – Fundamentals:
Module 5. General Awareness
|
|
Email Security – Intermediate:
Module 11. Reports/Custom Reporting
|
|
Security Operations – Advanced:
Module 4. Migration
|
|
Security Operations – Advanced:
Module 6. Attack Simulation Training
|
|
Security Operations – Advanced:
Module 7. General Awareness
|
|
by Scott Muniz | Jan 20, 2022 | Security, Technology
This article is contributed. See the original author and article here.
Drupal has released security updates to address vulnerabilities affecting Drupal 7, 9.2, and 9.3. An attacker could exploit these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following Drupal security advisories and apply the necessary updates.
Recent Comments