Manage Learn to apply best practices and optimize your operations.

Security survey shows Exchange as a sitting duck for attacks

Securing your Exchange setup is vital to keep your business up and running. However, recent security reviews show there's room for improvement.

Even though it's a new year, admins are met with some of the same security challenges. A number of studies from...

organizations, such as Cisco and Verizon, underscore the effect security has on the well-being of businesses of all sizes. How much does this matter to an Exchange administrator? It means everything.

Security impacts the confidentiality, integrity and availability of a messaging environment. If messaging system resiliency is the name of the game, it pays to be informed so you can fix the basics and not make the same security mistakes year after year.

If you're responsible for maintaining the security, availability and overall resiliency of Exchange in your organization, there are four main points from one recent survey that apply to you.

  • Most organizations don't have an inkling of a clue about where sensitive information resides. Such data is pervasive in Exchange environments and deserves more attention. Some tools to help could include data loss protection from Symantec or Proofpoint and cloud security software from Skyhigh Networks and Netskope.
  • Exchange is often a core application on mobile devices, and the mobile platform is ripe for attacks that unnecessarily expose Exchange. Many organizations lack any BYOD-related technical controls to facilitate the secure use of mobile devices. Using a mobile device management option or other related options such as MaaS360 or ZixOne can get you the most bang for your buck in the mobile realm.
  • Network environments often have an extremely immature patch-management process. As isolated and unused (for local users) as they may seem, servers -- regardless of functionality -- need to be patched.
  • Many security vulnerability assessments reveal that the majority of organizations don't have an incident-response plan. If they do, these plans are often woefully inadequate. At a minimum, have a plan that spells out what constitutes an incident, which security and monitoring controls you have in place, and who you're going to call for help when the going gets rough.

Wisdom has taught us that these types of security challenges are creating the very issues organizations struggle with year after year. These challenges don't affect just one specific group; this is a broad, diverse group of businesses and government agencies that you don't want to be a part of.

For Exchange admins, this means that you need to treat Exchange as a critical business system. It's no doubt a target in your environment. The last thing you need is to overlook a relatively petty security flaw or, just as bad, get caught off guard and unprepared once an incident occurs.

Make it a priority to ensure your Exchange systems and data are locked down from the deployment phase to the general maintenance phase. This can be done by including them in your security standards, policies and incident response plan. Even as legacy Exchange systems are being phased out and hardware is being commissioned or disposed of, or if you're upgrading or moving to the cloud, you must treat these systems with the highest regard.

Look past security documentation and ensure Exchange audit logging, related Group Policy Objects and secondary messaging security controls such as spam, firewalls and cloud email filtering tie in. Ongoing security vulnerability assessments and penetration tests of your Exchange systems are an absolute must as well.

At the end of the day, you cannot secure what you don't acknowledge. If you're overlooking some of these essentials, you will no doubt have risks in your Exchange environment that need attention.

About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter, watch him on YouTube and connect to him on LinkedIn.

This was last published in February 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Secure email servers on Exchange, Office 365 or both

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which security challenges have been the most difficult for your organization to resolve?
Cancel
The two biggest security issues that have taken the longest to integrate to solve our security concerns are getting employees to adopt the multi-tiered authentication processes and to keep employees from using jail-broken mobile devices. My enterprise has a new policy that forbids the use of jailbroken mobile devices and another that makes all employees responsible for learning the multi-tiered authentication processes. One of these processes includes changing passcode to more secure passphrases.
Cancel
Making Exchange security a priority in 2015: Stay with Exchange Server (On-Premises), install the latest patches and have 100% control over it.
Cancel
I agree with Bob.
Cancel
Risks abound for Exchange deployments, I think proactive planning and acknowledgment of security measures and protections for users, data, servers, and infrastructure are an afterthought.
Cancel
Great points, Aleezay! The problem is there's no time for planning. :)
Cancel
All the writers make great points, but it's like repairing a car while it's driving down the highway. I don't think you can be fully safe unless some of the steps you take are to sandbox your enterprise, test it, and then implement exchange on your fully tested and protected organization. Theory is great. Practice is more difficult. Just be aware and vigilant as you notice abnormalities occurring.
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close