Tag: CyberSecurity

OneDrive’s Sneaky Sync Prompt

Welcome to this week’s episode of Cyber Whack-a-Mole, where we tackle Microsoft OneDrive’s new personal sync prompt before it pops up with a data leak surprise!

Microsoft is rolling out a new OneDrive feature around May 2025 called “Prompt to add a personal account to OneDrive Sync” for business users (Microsoft 365 Roadmap ID 490064). Designed for convenience, it allows users to sync their personal OneDrive accounts alongside work accounts with a single click. Sounds handy, right? But here’s the catch: it’s enabled by default, and without proper controls, it could lead to sensitive corporate data being synced to personal, unmanaged accounts.

Why This Matters

Mixing personal and work data on the same device introduces risks, including:

  • Data Leakage – Sensitive corporate files could be unintentionally or maliciously moved to personal OneDrive accounts, which lack organizational oversight.
  • Compliance Issues – Industries like healthcare, finance, and legal, bound by regulations such as GDPR, HIPAA, or SOX, face potential compliance violations if data leaves the managed environment.
  • Security Gaps – Personal accounts typically lack the same security controls (encryption, DLP policies, or audit logs) as corporate accounts, creating a weak link.

The good news? These risks are manageable with proactive measures. Let’s dive into how to keep your organization secure without breaking a sweat.

How to Fix the Issue: Practical Solutions

Below are three key steps to mitigate the risks posed by this feature, followed by additional options for comprehensive protection.

Disclaimer: Plan and Audit to Avoid Disruptions

How to Protect Your Data 🕵️‍♂️🔨💾

Before implementing any of these changes, carefully plan and perform an audit to prevent organization-wide disruptions:

  • Audit Current State – Use tools like Intune, Group Policy reporting (gpresult), or PowerShell scripts to assess which devices have personal OneDrive accounts synced or OneDrive for Business in use. This helps identify potential impacts of disabling syncing or access.
  • Test Changes – Apply policies in a pilot group (a small department) to evaluate effects on workflows, especially for users relying on OneDrive for Business.
  • Plan Communication – Coordinate with stakeholders to inform users of changes, particularly if disabling OneDrive access or syncing broadly.
  • Backup Critical Data – Ensure no critical business data is stored solely in personal OneDrive accounts before removing access.
  • Consult Compliance Teams – For regulated industries, verify that changes align with GDPR, HIPAA, or other requirements.

By planning ahead, you can mitigate risks without disrupting productivity or compliance.

1. Disable the Feature with DisablePersonalSync 🚫

The most effective way to block personal account syncing is to enable the DisablePersonalSync policy via Group Policy or Microsoft Intune. This prevents users from setting up new personal syncs and stops existing ones, displaying a message that syncing has stopped (though synced files remain on the device and must be removed separately).

Group Policy

  • Open Group Policy Management Console (gpmc.msc).
  • Create or edit a GPO linked to the domain root or an OU containing all users.
  • Navigate to User Configuration > Administrative Templates > OneDrive > Prevent users from syncing personal OneDrive accounts and set it to Enabled.
  • This sets the registry key: HKCU\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync=dword:00000001.

Intune

  • In the Microsoft Intune Admin Center, create a Configuration Profile (Platform: Windows 10/11, Profile Type: Settings Catalog).
    • Add the setting: OneDrive > Prevent users from syncing personal OneDrive accounts (User) and set it to Enabled.
    • Assign to “All Users” or a group containing all tenant users for tenant-wide enforcement.

Reference: Microsoft Learn – Use Group Policy to control OneDrive sync settings

2. Audit Existing Syncs 📋

Before or after applying the policy, check for devices with active personal OneDrive syncs to close any existing gaps.

  • Use device management tools (Intune compliance reports or scripts) to identify personal OneDrive folders (typically under C:\Users\[Username]\OneDrive).
  • Remove synced personal files from devices, either manually or via automated scripts, ensuring compliance with your organization’s policies.
  • Consider using Microsoft Purview to audit OneDrive access events for signs of personal account activity.

3. Educate Your Team 📢

Communicate the policy change to users to avoid confusion and reinforce data security best practices.

  • Send an internal email or post on your company’s communication platform explaining why personal syncing is disabled.
  • Highlight the importance of keeping work and personal data separate, especially for compliance-heavy industries.
  • Provide a point of contact (such as IT helpdesk) for questions or support.

Additional Options for Enhanced Control

For organizations seeking broader or server-side controls, consider these tenant-level approaches, but note their trade-offs:

Disable Personal Site Creation (SharePoint Admin Center)

  • In the SharePoint Admin Center, go to More Features > User Profiles > Manage User Permissions.
  • Remove the “Create Personal Site” permission to prevent new OneDrive site creation, effectively blocking syncing for users without existing sites.

Limitation – Doesn’t affect existing OneDrive sites; use PowerShell to lock them if needed.
ReferenceManage user profiles in SharePoint

Restrict OneDrive Access by Security Group (PowerShell)

Use PowerShell to limit OneDrive access to specific security groups:

  • Connect-SPOService -Url https://-admin.sharepoint.com Set-SPOTenant -RestrictOneDriveAccessToSecurityGroupOnly $true Set-SPOTenant -OneDriveAccessRestrictedSecurityGroups “GroupID”
  • This prevents users outside the specified groups from accessing OneDrive, indirectly blocking personal syncing.

Limitation: Impacts OneDrive for Business broadly, not just personal syncing.
Reference: Microsoft Learn: Configure OneDrive access restrictions

Hide the Sync Button (PowerShell)

Limitation: Only affects the web interface; doesn’t stop syncs via the OneDrive client if DisablePersonalSync isn’t applied.
Reference: Microsoft Learn: Hide the sync button

Stay Ahead, Not Alarmed

This isn’t about panic—it’s about staying one step ahead of potential risks. If you’re an IT admin, take a moment to review your OneDrive policies to ensure your organization is protected. The DisablePersonalSync policy, applied tenant-wide via Intune’s Settings Catalog or Group Policy, is a straightforward way to lock things down. For extra peace of mind, audit existing syncs and explore server-side controls if needed.

You can also find this post on LinkedIn.

#DerettiTalks #Cybersecurity #Microsoft365 #OneDrive #Compliance #DataSecurity #EnterpriseSecurity #CyberWhackAMole #ITSecurity #CloudSecurity #DataProtection #TechNews #InformationSecurity #ITManagement #BusinessTech

National See Something Say Something Day: Your Role in Community Safety

🛡️ September 25 is approaching, marking the National ‘See Something, Say Something’ Awareness Day, an important reminder that security is a collective responsibility we all share. #HumanFirewall #BeyondCyber

👁️ The “If You See Something, Say Something®” campaign, launched by the U.S. Department of Homeland Security, empowers individuals to help protect their communities by reporting suspicious activities.

Together, we can make a difference. If you see something that does not feel right, say something — it could help prevent the next attack.

🚨 Why It Matters: Reporting suspicious behavior can help prevent potentially harmful situations, including terrorist incidents. A seemingly small or insignificant observation might be a key piece of a much larger puzzle. Your vigilance could be the difference in preventing a tragedy. It’s a simple idea, but it’s powerful: We all have a role in keeping our communities safe.

🧩But what exactly constitutes suspicious activity? Let’s break it down.

What Is Suspicious Activity?

Suspicious activity refers to any observed behavior that may indicate a threat to public safety or involve criminal activity, including potential terrorism. Here are some examples:

  • Expressed or Implied Threats: Making statements that threaten harm to people, facilities, or infrastructure.
  • Unauthorized Intrusion: Attempting to breach restricted areas or impersonating authorized personnel.
  • Unusual Material Storage: Storing large quantities of items like chemicals, weapons, or cell phones without a clear purpose.
  • Surveillance: Showing unusual interest in facilities, personnel, or security protocols by taking photos or videos covertly.
  • Cyber Attacks: Disrupting or compromising an organization’s IT systems in an attempt to cause harm.
  • Testing Security: Probing or testing a facility’s security systems to assess their strengths or weaknesses.

These activities are concerning not because of who a person is, but because of their actions. The security community and organizations urge everyone to report suspicious behavior—not based on someone’s appearance but on their actions.

Reporting suspicious behavior could potentially stop the next terrorist incident. Even a seemingly unimportant observation may be a piece of a larger puzzle.

What to Do if You See Suspicious Activity

It’s critical to report activities that feel off or seem unusual, especially when they suggest planning or preparation for harmful actions. Examples include someone breaking into a restricted area or gathering information about a facility’s security measures.

Remember: Race, gender, religion, or appearance are not indicators of suspicious behavior. Focus on the activity itself and report the behavior to local authorities or the appropriate channels.

Join the Effort on September 25

Let’s commit to staying aware and prepared on #SeeSayDay and throughout the year. Recognize the signs, report them, and play your part in maintaining the safety of our families, friends, and communities.

🔗 For more resources and guidance on what to look for, watch the awesome informative videos created by the New Jersey Office of Homeland Security and Preparedness (NJOHSP).

NJOHSP “See Something, Say Something” School Challenge 

NJOHSP PSA – “See Something, Say Something”

#SeeSayDay #CommunitySafety #CyberSecurity #PublicSafety #SecurityAwareness #ITSecurity #SeeSomethingSaySomething

https://www.dhs.gov/see-something-say-something

Navigating the Fallout: Lessons from the CrowdStrike Outage for the Future of Cybersecurity and Digital Resilience

The global computer outage on July 19, 2024, caused by a faulty software update from CrowdStrike, underlines the vulnerability of complex technological systems and the importance of robust incident response plans. The incident disrupted multiple industries worldwide, shedding light on the fragility of interconnected systems. The update introduced a critical error, crashing nearly 9 million Windows computers and impacting various sectors, emphasizing the potential for a single point of failure to escalate into a global crisis. This event underscores the significance of rigorous testing of updates, comprehensive incident response plans, and continuous improvement in security measures to combat the invisible threat of cyber warfare.

Summary

The global computer outage of July 19, 2024, serves as a reminder of the weaknesses inherent in our complex technological ecosystems. This incident, triggered by a faulty software update released by CrowdStrike, reverberated across multiple industries, causing widespread disruptions and highlighting the critical need for robust incident response plans, continuous improvement, and vigilance – a blunt reminder that strategic preparedness and rapid incident response are more crucial than ever in our age of ever-evolving cyber threats.

The Incident Unveils

It was 0147 EDT, overnight and into Friday.

The unusual stillness for a bustling Thursday evening and the paradox of the tech world came into play—the approaching weekend against the eerie thoughts of updates being released into production systems. 

As I was about to call it a night, the silence was shattered by the shrill ring of systems alerts and monitoring dashboard lights changing status, followed by ringing phones. The almost full moon cast a silvery glow over the misty mountain, starkly contrasting the chaos unfolding in the tech world.

This Friday would be unlike any other in our IT history. Our interconnected world was on the brink of an event that would underscore our systems’ fragility and highlight our false sense of security—a reminder of the delicate balance we maintain in our digital lives.

Incident Overview

For the ones unsure, CrowdStrike is a cybersecurity company with a significant market presence and serves various industries globally. One of their main products, Falcon, provides endpoint protection through real-time threat detection, prevention, and response, using advanced Artificial Intelligence and Machine Learning to identify and mitigate security threats.

A software update from CrowdStrike containing a critical error caused nearly 9 million Windows computers to crash worldwide, leading to widespread system failures and affecting numerous industries globally, including nearly 700,000 direct enterprise customer relationships between CrowdStrike and Microsoft.

The fragility of our interconnected systems was demonstrated when airlines faced delays and cancellations, financial institutions experienced disruptions in online banking and ATM services, and media companies saw interruptions in broadcasting.

This incident not only disrupted day-to-day operations but also highlighted the potential for a single point of failure to cascade into a global crisis.

A Technical Overview

CrowdStrike updates are installed automatically into production environments to ensure that the systems are protected with the latest security measures against emerging threats. This practice helps maintain high security but can lead to widespread outages if an update contains a flaw, as seen in the recent outage.

The faulty software update from CrowdStrike introduced a critical error in the .sys channel file, which is integral to system operations and contains a logic bug that disrupts the normal functioning of the Windows system. Security tools like CrowdStrike’s Falcon use these files to monitor system behaviors at a granular level, providing real-time protection against threats and protecting system activities at a deep level.

These .sys files act as drivers or kernel modules, facilitating communication between the operating system and hardware components, operating at a low level, or providing necessary services to the computer system, often interacting directly with the hardware or core system functionalities to manage resources, perform input and output operations, and ensure system stability.

An Insight into the Invisible Enemy

As we experienced firsthand, the impact of critical systems outages can be as disruptive and devastating as traditional warfare. An invisible enemy, such as a bug or a malicious code, can disrupt nations and large operations worldwide with resources at a fraction of the cost of conventional warfare methods. For instance, deploying a cyberattack is significantly inexpensive and less conspicuous than an electromagnetic pulse (EMP) attack, which would escalate tensions and likely provoke retaliation on a larger scale.

The interconnectedness of modern IT systems means that a failure in one component can have cascading effects, impacting numerous sectors simultaneously. The ability to disrupt critical infrastructure, financial systems, and communication networks can cripple a nation’s economy and security without firing a single shot.

The CrowdStrike fiasco illustrates the power and efficiency of digital warfare, which has rendered me many sleepless nights as the contrast between the invisible threats posed by software and the visible, traditional means of waging war.

Unlike physical attacks that require significant infrastructure, personnel, and logistics, cyberattacks can be executed remotely with little risk to the attacker. The stealth and anonymity provided by the internet allow nefarious actors to launch attacks that are difficult to trace and attribute, thus avoiding immediate retaliation.

This scenario underscores the importance of viewing cybersecurity not just as a technical issue, but as a matter of national security, highlighting the need for robust and comprehensive incident response plans, and the continuous improvement of security measures to protect against the invisible enemy that can strike without warning.

Strategic Insights

The CrowdStrike incident offers several strategic insights into the vulnerabilities of complex systems. First, it highlights the necessity of rigorous testing and validation of updates before deployment. A single faulty update can have far-reaching consequences, disrupting multiple sectors simultaneously.

Second, the incident underscores the need for comprehensive incident response plans. Organizations must conduct regular vulnerability assessments, implement advanced threat detection tools, and ensure continuous monitoring of their systems. Effective communication protocols are also essential to inform stakeholders and manage the crisis transparently.

My account as an Incident Response Leader

What I’m about to share underscores the critical importance of a robust incident response plan and the necessity of continuously enhancing security measures.

However, I must emphasize that, through the exceptional efforts of our world-class IT team (Application, Infrastructure, and Security), whose dedication I had the privilege of witnessing firsthand, we achieved close to total restoration of systems across multiple data centers and continents before CrowdStrike’s released a statement about the incident – even before many users had their first cup of coffee for the day. This remarkable achievement proves the extraordinary caliber of Haystack’s IT group’s understanding of the landscape and commitment to excellence. The team’s relentless efforts and hands-on approach transformed the recovery into an exemplary model of efficiency and excellence.

On that fateful night, as I prepared to call it a night and started investigating and assessing the cause of my systems going offline across data centers globally, I revisited the “Planning Considerations for Cyber Incidents” guide from my previous experiences with the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the US Department of Homeland Security.

The CISA guide provides a structured framework for assessing the situation, activating the incident response team, and implementing effective containment and recovery strategies. By using the procedures in the CISA document as a guideline, in conjunction with my team’s Business Continuity, Disaster Recovery, and Incident Response plans, we were able to execute a coordinated and effective response in a structured manner.

Once the incident response protocol was initiated, we were tasked with restoring access and reestablishing timely availability for the affected platforms. We found the pattern within the system outage, identified and organized the affected systems, and initiated a detailed analysis to identify the root cause. We coordinated with internal teams and external stakeholders; we communicated regularly to inform everyone of our progress and manage expectations accordingly.

Our focus on system restoration involved rolling back faulty systems, composing a structured recovery procedure based on rigorous testing, outlining team members’ responsibilities, and distributing the vetted recovery steps with the group. We followed post-restoration, comprehensive validation, and user acceptance testing to ensure all systems were fully operational.

What Nefarious Actors Can Learn from This

While CrowdStrike has stated that the incident was not a cyberattack, the scenario described aligns with known patterns of nation-state supply chain attacks aimed at long-term espionage. These attacks require advanced capabilities and are designed to remain undetected while extracting valuable data over extended periods.

Nefarious actors, including rogue nations, state-sponsored hackers, and organized cybercriminal groups, can glean several insights from the CrowdStrike outage, as far as creating a sense of instability and uncertainty, making it easier to execute larger-scale attacks when defenses are perceived as unreliable while eroding trust in security controls and providers.

During such events, attackers can observe how quickly and effectively organizations respond and recover, gaining an understanding of the strengths and weaknesses of incident response plans. This knowledge allows them to craft more effective attacks in the future.

The incident also underscores the potential impact of targeting critical infrastructure components. By compromising security tools like CrowdStrike, attackers can create a ripple effect, disrupting multiple industries and sectors. This is particularly attractive for state-sponsored actors aiming to cause widespread disruption.

Strategic Recommendations

In light of the outage caused by CrowdStrike’s system update, organizations can focus on enhancing their incident response and cybersecurity measures. Here are some specific recommendations:

  • Schedule and conduct a cybersecurity incident response simulation within the next quarter. Use real-world scenarios to test current plans’ effectiveness and identify improvement areas.
  • Cybersecurity should be included as a regular agenda item in board meetings. Review the organization’s security posture, recent incidents, and ongoing improvement initiatives.
  • Create a flexible, modular, scalable security architecture that allows centralized policy orchestration but decentralized enforcement. This will help protect all endpoints and systems more effectively.
  • Perform a comprehensive risk assessment of all third-party vendors and partners. Ensure they adhere to strict cybersecurity standards and have robust incident response plans.
  • Implement a zero-trust security model, which assumes that threats can come from outside and inside the network. This involves continuous verification of user identities, strict access controls, and real-time monitoring of all network activities.
  • Leverage artificial intelligence and machine learning to detect anomalies and potential threats in real-time. These technologies can analyze vast amounts of data and identify patterns that might indicate a cyberattack, enabling quicker and more effective responses.

Practical Advice for Individuals and Businesses

In addition to organizational recommendations, individuals and small businesses can also take steps to enhance their cybersecurity posture:

Cybersecurity Steps

  • Implement regular data backup procedures to ensure that critical information can be recovered in case of a cyberattack.
  • Post-incident analysis and continuous improvement are vital for enhancing resilience against future threats.
  • Conducting thorough post-mortem reviews helps identify gaps in the response process and provides valuable insights for refining incident response plans.
  • Training staff based on lessons learned from incidents ensures the organization is better prepared for future crises.
  • Install and maintain robust firewall and antivirus software to protect against common threats.
  • Conduct regular cybersecurity training sessions for employees to raise awareness and ensure they understand best practices.

Cyber Hygiene Tips

  • Ensure that all devices and software are regularly updated to patch known vulnerabilities.
  • Use strong, unique passwords for different accounts and enable multi-factor authentication (MFA) wherever possible.
  • Be cautious of phishing emails and links. Verify the source before clicking on any links or downloading attachments.

By recognizing these items, we can better prepare for the evolving landscape of cyber warfare, ensuring that our systems are resilient and capable of withstanding the sophisticated threats posed by those who seek to exploit them or vendor negligence.