Microsoft has released its annual list of top actions that admins can take to ensure they're not hit by ransomware, cryptocurrency-miner threats, or state-sponsored hackers.
In line with other security industry pros, Microsoft has confirmed in its 24th annual security intelligence report that ransomware has taken a backseat to pesky cryptocurrency miners.
But the company also warns that supply-chain attacks are on the rise. These are where an attacker uses a supplier or business partner to spread an infection.
Past examples include the NotPetya not-ransomware outbreak that caused over $1bn in losses for global firms, the Dofoil BitTorrent attack, attacks using malicious WordPress plug-ins, nasty Docker container images, bad Python packages, malicious scripts in popular sites, and backdoored npm modules.
"Supply-chain attacks are insidious because they take advantage of the trust that users and IT departments place in the software they use," Microsoft warns in the report.
"The compromised software is often signed and certified by the vendor, and may give no indication that anything is wrong, which makes it significantly more difficult to detect the infection. They can damage the relationship between supply chains and their customers, whether the latter are corporate or home users.
"By poisoning software and undermining delivery or update infrastructures, supply-chain attacks can affect the integrity and security of goods and services that organizations provide."
While attacks are changing and Windows 10 built-in security is improving, the company's advice to customers remains the same. However, there's conflicting data about the best approach to remaining secure.
Microsoft recommends only using software from trusted sources, though this 'security hygiene' measure could be undermined in a supply-chain attack.
It also recommends "rapidly applying the latest updates to your operating systems and applications, and immediately deploying critical security updates for OS, browsers, and email".
Deploying patches quickly could generally be a good idea. However, Microsoft recently revealed that vulnerabilities in its software are most likely to be exploited as a zero day, before the company has even had a chance to release a patch.
However, its other tips don't present obvious security conflicts.
"Deploy a secure email gateway that has advanced threat protection capabilities for defending against modern phishing variants," Microsoft warns, adding that businesses should "Enable host anti-malware and network defenses to get near real-time blocking responses from cloud (if available in your solution)".
The other key measures organizations should take include implementing access controls, and teaching employees to be suspect of messages that ask them to divulge sensitive information.
It also recommends keeping "destruction-resistant backups of your critical systems and data" and using cloud storage services for backing up data online.
"For data that is on premises, regularly back up important data using the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite," says Microsoft.
Previous and related coverage
Internet Explorer is a 'compatibility solution' and should only be used selectively, warns Microsoft exec.
Microsoft's Windows Defender ATP service, which provides pre- and post-breach detection and investigation, is finally generally available for Windows 7 and 8.1.
Enterprise customers running Windows Server 2012 have one year to change from IE10 to IE11.
How do you configure Windows 10 PCs to avoid common security problems? There's no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here's what to watch out for.
The Windows 10 version 1809 update history page alone has over one million page views and counting.
Sandboxes, minimal processes, Hyper-V containers, Device Guard: virtualisation delivers a lot more than VMs in modern Windows.
A group linked to Russian government agencies targeted more than 100 people researching electoral integrity and public policy.