Attackers are targeting older, unpatched Microsoft Exchange Servers with much success because organizations don't properly assess the risk. Credit: CHUYN / Getty Images The US Cybersecurity and Infrastructure Security Agency (CISA) has started a list of what it deems to be bad security practices. The two on the list so far instruct any organization that provides national critical functions (NCF) what not to do. They are so broad in their “badness,” however, that any organization should take notice and ensure they are not doing them. The two bad practices are:Use of unsupported (or end-of-life) softwareUse of known/fixed/default passwords and credentialsCISA notes that both dangerous practices are especially egregious in internet-accessible technologies.CISA’s list is a good start, but it’s not just unsupported or end of life software that is dangerous. Rather it’s not assigning resources to properly analyze the risk of software deployed in your organization in general. That risk often comes from software that is still supported but not on its most recent version or fully patched. Microsoft Exchange is a good example of this.Why attackers target Microsoft ExchangeOn-premises Microsoft Exchange servers have been targeted twice recently in attacks that could mean a complete takeover of a firm. The first in March of this year was called ProxyLogon. Microsoft released an out-of-band patch for Exchange Servers when attackers used a vulnerability to take control of the servers and ultimately the entire network. Microsoft had to scramble to code and release multiple Exchange patches as it quickly became clear that firms did not maintain Exchange Servers and keep them within the supportability window of N-1. Normally, Exchange Servers get quarterly updates that do not include security updates, but these updates define the supportability of the server software. If a security update is released, it is only provided for the most current release and the one right before. If your firm hasn’t kept its Exchange Servers up to date, you then must scramble to get on a supported version before applying the security update.Why don’t we keep servers up to date? As a former Exchange patcher, I can relate to the hesitation in deploying updates on that platform. Often the error messages are unusual and the resolution is not obvious. Email is one of those foundational technologies that we expect to always be on and always work. To plan maintenance on such a key technology needs buy-in from stakeholders. When I did patch Exchange servers, I ensured that I had a hygiene platform in front of Exchange so when I needed to perform maintenance the email was held and stored until the mail network came back online and was fully functional. The second attack on Exchange Servers is called ProxyShell and fortunately is not causing quite the same damage as the earlier ProxyLogon. It’s still extremely impactful, and Huntress Labs reported that it’s being used in ransomware attacks.Why is on-premises Exchange so much in the cross-hairs lately? As security research Orange Tsai pointed out in his talk on the vulnerabilities of Exchange in his Black Hat topic, Microsoft does not currently provide a bug bounty for its on-premises Exchange product as they deem it out of scope. Security researchers have no incentive to turn over the Exchange bugs to Microsoft.How to protect Exchange from attacksTsai had several recommendations to protect yourself from such attacks:Keep Microsoft Exchange systems up to date Task someone in your organization to keep Exchange patched when a security patch is released and when quarterly maintenance updates are released. Install these updates on a regular basis and do not let your mail servers get into a condition that they cannot be immediately patched with a security update. More security vulnerabilities for these servers will emerge in the futureProtect Exchange from internet and network threats Ensure Exchange Servers are not directly internet-facing and have protection as best as you can from not only the internet, but also the internal network. Use a firewall in your office to limit access to the servers to only those devices or machines that need access to them. Too often we don’t take the time to build appropriate firewall rules on our devices and often that’s a key basic step in keeping devices protected.Migrate to cloud-based email Last and almost jokingly, Tsai said that to keep your on-premises Exchange protected. you need to migrate to cloud-based email. Microsoft has deemed on-premises Exchange Serversno longer worthy for bug bounties. With less incentive to turn the bugs over to the vendor, the risk is greater that vulnerabilities will be known to attackers first. Clearly this last item needs to change. Microsoft needs to ensure that they pay bug bounties for all products that provide easy access to our networks. Too often smaller businesses and local governments are easy access to larger organizations. Too often they have not moved to cloud-based email but still have an on-premises email server due to the fixed costs and limited resources. These constraints lead to low-hanging fruit attacks where attackers can gain entry and go after other targets.Take the time to review your patching resources and assign appropriate manpower to your on-premises Exchange Server. Don’t push quarterly updates off; install them in a timely and appropriate manner. When (not if) the next emergency Exchange patch comes out, be ready to deploy it immediately. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe