Microsoft - Research

Microsoft Password Guidance

This paper provides Microsoft’s recommendations for password management based on current research and lessons from our own experience as one of the largest Identity Providers (IdPs) in the world. It covers recommendations for end users and identity administrators.

Read More
complex traffic signals - Credit: Palm Jumeirah Guides

Securing Internet Applications from Routing Attacks

This article provides a new perspective by showing that routing attacks on Internet applications can have even more devastating consequences for users—including uncovering users (such as political dissidents) trying to communicate anonymously, impersonating websites even if the traffic uses HTTPS, and stealing cryptocurrency. This article argues that the security of Internet applications and the network infrastructure should be considered together, as vulnerabilities in one layer led to broken assumptions (and new vectors for attacks) in the other.

Read More
computers at edge of crator, illustration - Credit: Novikov Aleksey

Cybersecurity: Is It Worse than We Think?

[In this article, we] seek to complement the myriad security research notes by investigating specific cybersecurity practices within organizations to evaluate where organizations are showing improvement, where they are stagnant, and what may be influencing these changes. Our results confirm that cyber-security continues to receive attention on the surface, but when looking beyond surface-level impressions a surprising lack of progress is being made.

Read More
The Dark Triad, illustration - Credit: Alicia Kubista / Andrij Borys Associates

The Dark Triad and Insider Threats in Cyber Security

In this article, we focus on a set of pathological personality traits known as the dark triad. Evidence from recent insider threat cases leads us to believe these traits may correlate with intentions to engage in malicious behavior.23 After discussing insider threats and the dark triad traits, we present results from an empirical study that illustrate the relationship between the dark triad traits and malicious intent. We then discuss the importance of these results and make recommendations for security managers and practitioners based on our findings.

Read More
envelope and key on smartphone display, illustration - Credit:

Security Analysis of SMS as a Second Factor of Authentication

This article provides some insight into the security challenges of SMS-based multifactor authentication: mainly cellular security deficiencies, exploits in the SS7 (Signaling System No. 7) protocol, and the dangerously simple yet highly efficient fraud method known as SIM (subscriber identity module) swapping. Based on these insights, readers can gauge whether SMS tokens should be used for their online accounts. This article is not an actual analysis of multifactor authentication methods and what can be considered a second (or third, fourth, and so on) factor of authentication; for such a discussion, the author recommends reading security expert Troy Hunt’s report on the topic.

Read More