Do you ever feel like you're wearing too many hats in your job as an IT professional? Even if you're a dedicated Exchange Server administrator, you probably have a lot of other responsibilities. However, you may not have thought about security incident response.
Exchange Server-related security incidents might include:
- Malware outbreaks
- Denial of service
- Exploitation of patches by a rogue insider
- Account enumeration/user harvesting
- Data leakage
- Password cracking
- Spam relaying
- Data leakage
With each of these incidents, there are specific steps you'll need to take in order to recover from the attack. From penetration analysis to forensics investigation, incident response requires hands-on technical knowledge as well as higher-level business process expertise.
Some steps you'll need to take will be technical, such as creating an Exchange and Windows server log review, running network protocol analysis and administering system patches. Others steps will be more operational in nature -- creating and instating documentation and policy tweaks.
The reality is that you need to have solid incident response procedures in place. If not, you're more likely to react rather than respond, which ultimately leads to increased business risks.
Figure 1 outlines the necessary components for correctly handling Exchange Server breaches:
Although many Exchange Server-related security incidents can be prevented in the first place, you'll still need some documented guidance to refer to when you do need it. Remember, a breach can snowball and affect your Exchange incident response, encompassing your entire network -- from applications to databases to mobile devices.
If your Exchange Server organization is developing an incident response plan, it's helpful to start small, base it around your Exchange environment and build out from there. This will keep you ahead of the pack and prepared for the worst.
|ABOUT THE AUTHOR:|
| Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in March 2010