If you've studied programming, engineering or computers in a professional capacity, you've no doubt heard the saying...
that garbage in equals garbage out. It's most certainly the foundation of computer system operations, especially those pesky and elusive glitches we can't seem to avoid.
When you get to the bottom of these operations, the same line of thought applies to pretty much every known data breach. Regardless of what was compromised, there are three main factors that create the conditions for a data breach. Choices are either made or not made. Information systems and their accompanying security controls are either deployed or not deployed. And these systems are either managed or not managed. The resulting conditions from these factors will either help or hurt your business and determine the risks you face.
Microsoft Exchange is often the first point of entry in the steps leading up to a data breach, so you must know what you're up against both externally and internally. Remember, all it takes for a serious data breach similar to the recent Target or Home Depot breaches is just one missing patch or just one compromised password on just one mobile device, workstation or Outlook Web App account.
Address common data breach causes
If you want to minimize the chances of getting hit by a breach in your Exchange environment, you will really have to step up your security game. It starts with a security assessment that uncovers the low-hanging fruit likely to get people in trouble. Fix the problems you uncover there and continue to perform periodic and consistent assessment for other low-hanging fruit. But don't stop there.
Even if you don't consider yourself a security professional, you're still part of the security equation. Study the Verizon Data Breach Investigations Report and other security reports, such as the Trustwave Global Security Report. Mandiant's APT1 report, for example, is a fascinating and informative read for Exchange admins. All of the research, attack methods and data breach causes highlighted in the reports could affect your messaging environment in some way. This is why it's so important for you and your organization's key security players to understand what's going on. An exercise in threat modeling, for example, can go a long way toward protecting your messaging environment.
One of the biggest mistakes you can make is to believe that security threats come in the form of external adversaries or even malicious employees. I'd venture to guess that corporate politics are the underlying cause in a large number of data breaches. I've seen and heard of CIOs not wanting to test their systems for vulnerabilities in fear of being made to look bad. Similarly, some executives don't want to acknowledge the fact that nothing is getting done (or that the wrong things are being done); if they do, they've then taken ownership of problems they may not be willing to resolve. This is why it's so important to understand the political issues you should look for and to be prepared to respond to them.
Political plays are often quite obvious. It's the CIOs who don't want to get called out on what they're doing wrong in terms of security. It's the corporate legal counsel making decisions in lieu of the chief information security officer. It's the manage-by-committee approach to security and compliance where bystander apathy has a greater presence than true leadership. In so many situations, few people are willing to stand up and do what's right for an organization's security because if they fail (presumably due to a breach), their personal job security is at stake. It's like the BYOD security loophole present in most organizations; it's just a lot larger and across all of IT.
Go beyond the written policies and the Group Policies. If you look closely enough, you'll see what's really creating the messaging risks in your organization.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This is part one in a series about how you can learn from the recent rash of data breaches to
protect your Exchange environment.
Click here for part two, which covers how email phishing can cause data breaches and the warning signs admins should look for.