As we wrap up Cybersecurity awareness month, there’s one more question I’d like to ask you. If you are still running your Microsoft Exchange Server in-house – why? Take it from a cybersecurity professional; you need to stop running Microsoft Exchange on-premise. Here’s why moving Microsoft Exchange to the cloud is more secure.
Before you go thinking I’m just a cloud advocate (I am, where it makes sense) who wants to move everything up there, let me explain a bit about my background before becoming a security professional. One of the first products that I developed expertise in was Microsoft Exchange. My work started with Exchange version 4.0 (which was the first version of it) all the way back in 1996. Even before then, I spent some time with MS Mail. So, I’ve got lots of experience under my belt when it comes to this platform.
The risks of Microsoft Exchange on-premise
Why am I against running Exchange on your local network? It all comes down to risk. We’ve seen three major vulnerabilities against the Exchange platform in just the past seven months.
Since spring, almost all of the compromised systems that my team has worked on have been a result of compromised Microsoft Exchange. The first vulnerability disclosed was in early March and another set of vulnerabilities came out in April. These threats were exploited by an organization known as Hafnium, a state-sponsored threat actor group. These vulnerabilities, once exploited, allowed threat actors full access to the Exchange servers via a web proxy shell. This in turn potentially allowed for further access into a victim’s organization. As feared, this led to an increase in ransomware – namely the LockFile attack. Given the wild success these threat actor groups have had with Exchange vulnerabilities, there’s no reason to think these threats are going to diminish.
You might be thinking, “but I’m good about patching my systems!”. That’s commendable, but it may not be enough. Patching is extremely important – however updates aren’t always released in time to prevent issues. Earlier this year we saw that a number of the compromised Exchange servers we looked at were compromised before the public knew there were vulnerabilities. These servers were compromised before updates were even available. Even if you had installed that patch the instant it was available, you might not have been safe. The installation of the patch also would not remove any already-installed web proxy shells. This led to organizations having a false sense of security. It was (and remains) critical to not only patch these systems but to look for the presence of and then remove these web shells.
Outside of patching, one of the other biggest strategies to keep systems safe is to limit their access to the Internet. Unfortunately, that’s not an option with on-premise Exchange servers. Exchange on-premise needs Internet access for email traffic along with mobile device access.
When we look at things from a security perspective, we can no longer count on being able to patch these systems in time. We are at a point where attackers are just simply going faster than the defenders. It’s not an ideal position, but it’s the reality we have to deal with.
Limiting access from the Internet to these boxes is not doable, which leaves us with no real options. As a result, the recommendation at ADNET is to move this critical service to the cloud as quickly as possible. This is not to say there aren’t security issues with Office 365 and other cloud services, but they are different. Issues typically seen with O365 are around user compromises (which can be heavily mitigated by MFA), not the fundamental software security issues we’ve seen this year with Microsoft Exchange on-premise. The main difference is that a user compromise, while bad, can be contained to just that one account. A server or software compromise can lead to the entire server being compromised and can be a springboard into the rest of an organization’s environment.
If you have questions or concerns about moving Microsoft Exchange to the cloud, reach out to us. We have experience lifting clients of all sizes and industries to the cloud and we’re happy to address any security questions that come up. It’s time. Make the move.