Attackers are targeting older, unpatched Microsoft Exchange Servers with much success because organizations don't properly assess the risk. Credit: CHUYN / Getty Images The US Cybersecurity and Infrastructure Security Agency (CISA) has started a list of what it deems to be bad security practices. The two on the list so far instruct any organization that provides national critical functions (NCF) what not to do. They are so broad in their “badness,” however, that any organization should take notice and ensure they are not doing them. The two bad practices are:Use of unsupported (or end-of-life) softwareUse of known/fixed/default passwords and credentialsCISA notes that both dangerous practices are especially egregious in internet-accessible technologies.CISA’s list is a good start, but it’s not just unsupported or end of life software that is dangerous. Rather it’s not assigning resources to properly analyze the risk of software deployed in your organization in general. That risk often comes from software that is still supported but not on its most recent version or fully patched. Microsoft Exchange is a good example of this.Why attackers target Microsoft ExchangeOn-premises Microsoft Exchange servers have been targeted twice recently in attacks that could mean a complete takeover of a firm. The first in March of this year was called ProxyLogon. Microsoft released an out-of-band patch for Exchange Servers when attackers used a vulnerability to take control of the servers and ultimately the entire network. Microsoft had to scramble to code and release multiple Exchange patches as it quickly became clear that firms did not maintain Exchange Servers and keep them within the supportability window of N-1. Normally, Exchange Servers get quarterly updates that do not include security updates, but these updates define the supportability of the server software. If a security update is released, it is only provided for the most current release and the one right before. If your firm hasn’t kept its Exchange Servers up to date, you then must scramble to get on a supported version before applying the security update.Why don’t we keep servers up to date? As a former Exchange patcher, I can relate to the hesitation in deploying updates on that platform. Often the error messages are unusual and the resolution is not obvious. Email is one of those foundational technologies that we expect to always be on and always work. To plan maintenance on such a key technology needs buy-in from stakeholders. When I did patch Exchange servers, I ensured that I had a hygiene platform in front of Exchange so when I needed to perform maintenance the email was held and stored until the mail network came back online and was fully functional. The second attack on Exchange Servers is called ProxyShell and fortunately is not causing quite the same damage as the earlier ProxyLogon. It’s still extremely impactful, and Huntress Labs reported that it’s being used in ransomware attacks.Why is on-premises Exchange so much in the cross-hairs lately? As security research Orange Tsai pointed out in his talk on the vulnerabilities of Exchange in his Black Hat topic, Microsoft does not currently provide a bug bounty for its on-premises Exchange product as they deem it out of scope. Security researchers have no incentive to turn over the Exchange bugs to Microsoft.How to protect Exchange from attacksTsai had several recommendations to protect yourself from such attacks:Keep Microsoft Exchange systems up to date Task someone in your organization to keep Exchange patched when a security patch is released and when quarterly maintenance updates are released. Install these updates on a regular basis and do not let your mail servers get into a condition that they cannot be immediately patched with a security update. More security vulnerabilities for these servers will emerge in the futureProtect Exchange from internet and network threats Ensure Exchange Servers are not directly internet-facing and have protection as best as you can from not only the internet, but also the internal network. Use a firewall in your office to limit access to the servers to only those devices or machines that need access to them. Too often we don’t take the time to build appropriate firewall rules on our devices and often that’s a key basic step in keeping devices protected.Migrate to cloud-based email Last and almost jokingly, Tsai said that to keep your on-premises Exchange protected. you need to migrate to cloud-based email. Microsoft has deemed on-premises Exchange Serversno longer worthy for bug bounties. With less incentive to turn the bugs over to the vendor, the risk is greater that vulnerabilities will be known to attackers first. Clearly this last item needs to change. Microsoft needs to ensure that they pay bug bounties for all products that provide easy access to our networks. Too often smaller businesses and local governments are easy access to larger organizations. Too often they have not moved to cloud-based email but still have an on-premises email server due to the fixed costs and limited resources. These constraints lead to low-hanging fruit attacks where attackers can gain entry and go after other targets.Take the time to review your patching resources and assign appropriate manpower to your on-premises Exchange Server. Don’t push quarterly updates off; install them in a timely and appropriate manner. When (not if) the next emergency Exchange patch comes out, be ready to deploy it immediately. Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe