Information security now!
This week we welcome new schoolchildren on the digital education path and tell you about the reform in which Microsoft will introduce a two-step login process to improve the security of logging into services and the management of services.
Tällä viikolla katsauksessa käsiteltäviä asioita
Back to school! Safely also in the digital school path
Another school year started again in comprehensive schools at the beginning of August. In the past few autumns, the National Cyber Security Centre has already highlighted the importance of learning to navigate the digital school path at home and at school. This year, approximately 167,000 little schoolchildren will be studying in grades 1–3 of comprehensive school and many of them have just received their first phone. Autumn is the perfect time for learning to use terminal devices together with a child both at home and at school.
In addition to calling and messaging, phones are used for a variety of other purposes today. People’s digital identity and managing it increasingly focus on mobile terminal devices. It is therefore a good idea to teach schoolchildren the right practices regarding looking after devices (updating), disclosing one’s personal information (data security) and password creation, password management and multi-factor authentication (information security).
It is advisable also for us adults to refresh our memory. Many parents of little schoolchildren have themselves been part of the first generation that already learned to use the internet at primary or secondary school age. Unfortunately, the internet has not become any safer as an operating environment for children since those days. Parents should therefore be interested and keep an eye on what their child is doing with their phone, what software their child uses, and what kind of digital content their child is consuming or can access on their own mobile terminal device. The age limits for applications should also be taken into account, and especially the data protection of applications aimed at children.
Growing up in the current digital world requires good cooperation between children and the adults responsible for them. A phone is a necessity today but using it may cause concern for parents. On the one hand, the child has the right to protection of privacy and secrecy of communications, and on the other hand, the parents are responsible for ensuring that the child’s wellbeing is realised. According to legislation, it is not unambiguous in what kind of situations guardians may read the messages on their child’s phone or locate the phone without the child’s permission. It is therefore best to anticipate and agree on the rules for using a phone and communicating online from the very beginning.
In June 2023, we wrote more about how to take control of the technology of devices together with children (External link).
More information and guides:
- Information security skills for children (External link)
- Safe on the Internet, a guide for children (pdf) (External link)
- Safe on the Internet, a guide for parents (pdf) (External link)
- Terveyskirjasto – Children, young people and smart phones – support for parents in the 2020s (link in Finnish) (External link)
- Ask anything about information security - Tips for parents of children and young people (External link): Experts from the National Cyber Security Centre, the National Bureau of Investigation and the EU’s Cyber Citizen initiative in a panel discussion at the Assembly event.
- The EU's Cyber Citizen initiative has implemented the Cyber City Tycoon game helping people of all ages to practice their information security skills. View the trailer and download the game from Apple Store or the Play Store (External link)!
Microsoft forces multi-factor authentication in autumn 2024
In May, Microsoft announced that multi-factor authentication will be required for logging into the main user portals of Azure, Entra ID and Intune. The timetable for the reform was published on 15 August 2024 and the first stage will enter into force on 15 October 2024. As a result, multi-factor authentication will be required from all user IDs logging into Azure. In the article, we explain what the changes mean and how you can prepare for them.
What does this mean and who does it affect?
Microsoft will carry out the changes in two stages. The first stage will begin on 15 October 2024, when multi-factor identification is required from all Microsoft IDs used to log into the following services:
- Azure portal (External link)
- Microsoft Entra admin portal for main users (External link)
- Intune admin portal for main users (External link)
The second stage will enter into force at the beginning of 2025, when multi-factor authentication will become obligatory for using Azure CLI, Azure PowerShell, the Azure mobile application and Infrastructure as Code (IaC).
As from 15 August 2024, Microsoft will inform the main users of Azure Entra ID by email and through Azure’s Service Health Notifications view of the more specific date for the change taking place in the first stage, 60 days before its entry into effect. The date of the change, additional information and the instructions will also be visible in the M365 Message Center.
To prepare for the changes, it is advisable to create separate main user IDs for emergencies. These IDs will be used only in situations where other methods of logging in cannot be used, for example, because of technical problems.
Create a separate main user ID for emergencies – a so called "break glass” ID
The main user IDs created for emergencies differ from normal IDs in that using them to log in does not depend on a specific phone operator if mobile phone networks are not working or Microsoft’s Azure MFA is malfunctioning. This is particularly important if mobile phone networks have been disabled or disruptions that prevent logging in occur in Microsoft’s Azure MFA. It should be possible to use these IDs to log into your Microsoft subscription if other methods of logging in fail because of technical problems. The IDs are not used regularly, nor will access licences be activated for them because they are reserved only for emergencies. These IDs are so-called “break-glass” IDs.
A password consisting of at least 25 characters including lower and upper-case letters, numbers and special characters is recommended for main user IDs. It is advisable to consider FIDO2 security keys, the Windows Hello for Business solution or authentication based on certificates as options for multi-factor authentication. Of these, the implementation of FIDO2 security keys is the easiest one to carry out and maintain.
The IDs should be monitored so that notifications will be received about logins. It is also important to regularly check that the IDs are working and ready to use when the situation requires it.
Recently reported scams
In this summary, we provide information about scams reported to NCSC-FI during the past week.
About the weekly review
This is the weekly review of the National Cyber Security Centre Finland (reporting period 16–22 August 2024). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.