Global hacking attack highlights on-premises vulnerabilities
This month’s huge hack of Microsoft’s Exchange Server mail and calendar software has underlined, as never before, the massive risk of maintaining on-premises servers with hackers attempting to gain access to email accounts and install malicious software (malware) to allow them to later access servers.
The hack, from a group which Microsoft has dubbed, Hafnium, comprised the emails of thousands of businesses and government agencies around the world who were left rushing to patch against the vulnerabilities. The attack left companies and agencies with their physical servers vulnerable if they were using Microsoft Exchange Server 2013, 2016, and 2019. The attack, however, did not affect Exchange Online – Microsoft’s cloud server service – and raises the issue of the business wisdom of adopting cloud-based email instead of running email servers in-house.
Microsoft moved speedily to send out security patches even releasing patches for out-of-date versions of the Exchange Server. But not all companies have the skills or capacity to patch. Exchange is a complex system, Hosted Exchange doubly so (if you are doing the hosting), due to the interplay between it and a provisioning system.
Patches need to be deployed to a staging environment, tested, full provisioning tests need to be completed via the provisioning system to ensure no impact there, and initial server deployments are made to select servers to ensure no unexpected load impact before finally rolling out to the entire platform.
The Cobweb response:
At Cobweb, we pride ourselves in running a solid, highly available, and secure Hosted Exchange platform and monitor and respond to emerging threats. Realizing the potential severity of this hack we began patching of internet-facing production Exchange platforms immediately upon release of the patch, completing the update on those systems in under 18 hours from release. Thanks to this rapid turnaround, no systems were compromised, and no customer data exposed.
About our Hosted Exchange Platform:
At Cobweb, we have been running a Hosted Exchange platform for over 20 years. We’re strong believers in continuous improvement, whether that be adding automation into our workflows, or collecting additional metrics into our custom monitoring systems, allowing us to make more intelligent decisions about how to run the platform.
Time to question your approach?
The fact is that running an Exchange platform is hard, it took us 20 years of process evolution and a dedicated team of Exchange specialists to ensure we were not hit. So, if you are running Exchange on-prem, unless, like us, you have the maturity and processes in place, it’s probably the wrong solution for your business. The trend of less time between patch release and active exploitation is only going to get shorter. If you’re running Exchange on-prem, then you should consider the following questions.
- Who is monitoring security forums, how are you notified of Out-Of-Band updates, and do you have processes and procedures in place to get something like this live, on production systems, in under 24 hours where necessary?
- What does your patch process look like, how long does it take to go from Microsoft releasing a patch, to getting it through any testing and on all production systems. Can automation help you here?
- Are you checking for updates to anything other than the Operating System? How Often?
- What do you know about your systems? Do you have a solid asset process? or do you have different systems that will tell you different things? Do you know every piece of software on every system so that you can quickly identify what to patch and where?
Some of those questions may not have simple solutions, and if they don’t for your business, it’s probable that running Exchange on-prem is the wrong solution.
The security case for Exchange Online:
Over the last couple of years, we have increasingly migrated customers to Office 365 and Exchange Online because we believe this is the right solution for the vast majority of our customers’ needs.
Exchange Online wasn’t impacted by the Hafnium attack and realistically you should expect similar breaches in the future where Exchange Online won’t be impacted, but on-prem versions will be. And any time a patch is released, you can be sure Exchange Online will have already been patched.
Advanced identity solutions, that Microsoft provides via the Azure Active Directory (Azure AD) enterprise identity service, provide single sign-on (SSO) and multi-factor authentication to help protect users from 99.9% of cybersecurity attacks. It’s much more capable of detecting threats within-tenant than could ever be deployed on-premises and those capabilities continue to improve.
Things like multi-factor authentication (MFA) are now simple to roll out to users, whereas on-premises deployment of similar capabilities can come with significant complexities and add a lot of overhead. Quite simply, your organization is more secure in the cloud than it ever is on-premises, particularly if you leverage the more advanced capabilities and that isn’t going to reverse.
You may think your anti-virus (AV) solution has you ring-fenced – but here there are more questions to ask: Are you logging centrally? Are you monitoring Agent Health? Are all devices using the latest definitions? Microsoft Defender for Endpoint can help with the problem around asset management and software inventory, so you know what you need to patch, and being cloud-native, it’ll work just as well with a mobile workforce.
Simple AV solutions don’t meet the protection requirements demanded by the modern threat landscape. Yes, there’s a good chance AV will block a given piece of malware, but how about ensuring you have the logging in place to identify how that malware arrived on endpoints in the first place? What about how long it was on there, or what may have been accessed whilst exposed?
At Cobweb we have extensive experience in migrating organizations to Exchange Online – we’ve migrated over 200,000 mailboxes to Exchange Online to date and can help your business move to the more secure cloud. If you want the added security that comes from moving your mailboxes to Exchange Online, get in contact with Cobweb Solutions MENA today: Tel: +971-4427-2420 or email at firstname.lastname@example.org
I’m excited to announce that I’ve become a mentor for The Channel Community.Read More
Cloud won’t protect from a badly architected solution! In this article I'm focusing on Disaster Recovery.Read More