Manage Learn to apply best practices and optimize your operations.

Boost Exchange email security with Critical Security Controls

The SANS Institute's 20 critical security controls all apply to Exchange Server, and many IT organizations are falling behind on many of them.

The SANS 20 CIS Critical Security Controls isn't just free, it's priceless for locking down Exchange email sec...

urity.

The SANS Institute's 20 CIS Critical Security Controls list, currently in version 6, has been around -- and improving -- for years. The list provides recommended actions to defend against attacks. This set of best practices should already be in place in a well-functioning and secure IT deployment. Recommendations from the SANS Institute can help IT make small adjustments to improve security. The list also shares what it takes to form and run an effective information security program.

If you're tasked with keeping corporate data and communications locked down in a Microsoft Exchange environment, then resources such as the SANS Critical Security Controls can be invaluable. Whether you're just starting to build out email security controls or you're fine-tuning Exchange email security to minimize risks and maximize resiliency, the SANS controls can be a helpful resource.

All 20 of the critical security controls apply to Exchange email security:

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 2: Inventory of Authorized and Unauthorized Software
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 5: Controlled Use of Administrative Privileges
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses
  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services
  • CSC 10: Data Recovery Capability
  • CSC 11: Secure Configurations for Network Devices such as Firewall Routers, and Switches
  • CSC 12: Boundary Defense
  • CSC 13: Data Protection
  • CSC 14: Controlled Access Based on the Need to Know
  • CSC 15: Wireless Access Control
  • CSC 16: Account Monitoring and Control
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • CSC 18: Application Software Security
  • CSC 19: Incident Response and Management
  • CSC 20: Penetration Tests and Red Team Exercises

All of these security controls apply to a messaging environment. Even wireless access and security at the application and software levels matter to Exchange administrators worried about attacks.

Exchange is as much of a target for security incidents and breaches as any other area of the enterprise network, especially given how critical today's messaging environments are to businesses.

Prioritize or perish

Surprisingly, many organizations don't have formal standards for Exchange email security controls and data protection. Do you test for vulnerabilities? Does the Exchange admin or another team monitor for security-related problems? You can't secure the components that you don't acknowledge.

Nearly half of the SANS 20 critical controls are often not fully addressed by IT organizations. Unless the IT team prioritizes these controls, they are creating unnecessary security risks:

  • CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 8: Malware Defenses
  • CSC 13: Data Protection
  • CSC 16: Account Monitoring and Control
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • CSC 19: Incident Response and Management
  • CSC 20: Penetration Tests and Red Team Exercises

If necessary, beef up security and best practices training. Consider using outside firms to help in areas where the organization is weak and cannot justify building out internal expertise. Most importantly, get started now. Email security control challenges -- whether on-premises in Exchange or in the cloud in Office 365 -- are not going to get any easier unless you act.

Next Steps

Prepare to excel in Exchange security

Do these Exchange security tasks daily

Protect Office 365 data at home

This was last published in October 2016

Dig Deeper on Email Policy Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Where do you have challenges when it comes to locking down security in your Exchange email environment?
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close