Pratum Blog

Microsoft Exchange Server Vulnerability

A vulnerability discovered in Microsoft Exchange could impact your business’s email accounts, and potentially entire networks. In February of 2020, Microsoft released several security updates to address a vulnerability discovered in the Microsoft Exchange Server (CVE-2020-0688). While a patch has been issued, several Exchange accounts have not been updated and are still at risk.

How it Works

With this vulnerability, CVE-2020-0688, the Exchange server fails to create unique keys during installation. With this, attackers can then utilize this key to deserialize certain information or pass commands.

Definitions-

Serialization: the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed.

Deserialization: the reverse process of Serialization; taking the raw data and reconstructing the object model.

In short, this vulnerability would allow a hacker to compromise an entire Exchange environment. This could affect all email and potentially all Active Directory, depending on how the server was implemented. This could also leave businesses the target for APT (Advanced Persistent Threats) attackers who can use the vulnerability to read a company's email store.

Known Impact

The vulnerability that was discovered, and is now being addressed by Microsoft, is more than just a threat. There have been exploitations of this vulnerability discovered. In fact, a Rapid7 scan of the internet in early April found that more than 350,000 Exchange servers were still vulnerable after the patch was released.

Researchers with Kenna Security ran analyses of their own and discovered that of 22,000 internet-facing Outlook Web Access servers, 74% were vulnerable and 26% were potentially vulnerable two months after Microsoft released a patch to address these concerns.

Take Action Now

With Exchange environments being so high in value, security experts are afraid this vulnerability will become a favorite for ransomware attacks. That is why it is important to address the potential risk now. Here are the steps you can take to help reduce risk from CVE-2020-0688.

1. Check your systems to make sure everything has been updated. The patch from Microsoft needs to be installed on any server with the Exchange Control Panel (ECP) enabled.

2. Exchange servers must be running one of the Cumulative Updates listed in the Microsoft Advisory in order for the update to be installed.

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

3. Determine whether anyone has attempted exploiting CVE-2020-0688 in your environment. Any account tied to an attempt should be treated as compromised.

If you have not already, it is advised that everyone install the Microsoft patch immediately. If you cannot install the patch, be sure to at least block access to ECP. If you are unsure if your company has been compromised, please reach out to a Pratum cybersecurity expert today.

Information Security Risk Matrix

Every organization is unique, so the risks they each face are not the same. In order to make a plan of action to protect your business, you need to first understand where the threats against you are. Once you know where those risks and gaps are you can start to identify the likelihood of them occurring and the impact they could have on your organization.

This sort of knowledge is crucial when making risk-based decisions for your company. Without full knowledge of where, how, and why a threat could occur, you’re not going to be able to stop it. That’s why understanding likelihood and impact are both important factors in the Risk Assessment process.

Keep it Simple

You don’t have to have a complex formula in order to improve or support the security environment of your organization. However, it is important for leadership to understand where time and resources need to be spent in order to reduce potential risks to the company. That’s how Risk Assessments can shed light on the key factors in this decision-making process.

Having a better understanding of the system also helps out other members of your staff. Members of the IT department need to know what products and processes to put into place in order to limit potential risks. The more knowledge they have, the better they can work with leadership to determine and address security concerns. Sharing the Risk Assessment results with members of the IT team will help them understand where to reduce risks.

Risk Formula

Risk = Threats x Vulnerabilities

This is a common formula that is used to determine the likelihood of risk. It’s a good way to approach finding risk because it addresses the key factors in a cybersecurity threat.

The standard set in NIST 800-53 implies that a realistic assessment of risk requires an understanding of these areas: threats to an organization, potential vulnerabilities within the organization, and the likelihood and impacts of successfully exploiting the vulnerabilities with those threats. That likelihood is then best described and categorized in values of High, Medium, and Low.

Getting Started

Now that you know the importance and formula for determining likelihood and impact during a Risk Assessment, here’s how you get started!

First, determine the inherent risk. That is, the risk level and exposure your system faces without taking into account any mitigating measures or controls that are actively in place. Where is your system at its weakest when no other security measures are in place to protect them?

An area with a higher likelihood and impact of a threat on the organization, from an inherent risk level, may need additional controls to reduce the level of risk to an acceptable level. This process then leaves you with what we call “residual risk”. That’s the level of risk that will remain following the implementation of a mitigating control. If the threshold is still higher than you prefer, then additional risk management measures and techniques should be introduced.

 Mitigating Measures:

  • Avoidance – Elimination of the cause of the risk.
  • Mitigation – Reduction of the probability of a risk’s occurrence or of its impact.
  • Transfer – Sharing of risk with partners, such as through insurance or other ventures.
  • Acceptance – Formal acknowledgement of the presence of risk with a commitment to monitor it.

Finding Help

If you’ve now read through how determining likelihood and impact can help your Risk Assessment process, but still aren’t sure where to go next, there is help available through cybersecurity consultants. These experts in the field can help by looking over a number of key factors you may not have considered.

Cybersecurity Consultants are able to analyze your organization’s structure, policies, standards, technology, architecture, controls, and more to determine the likelihood and impact of potential risks. They will also review your current controls and evaluate their effectiveness.

While determining how secure your network is, Consultants will also assess any gaps between your current security posture and where you want your organization to be. This can be accomplished by determining accountability. That means ensuring risk ownership is assigned at the appropriate level and to the appropriate team. It’s important to have the right security measures in the right hands.

End Goal

The end goal is to get to an acceptable level of risk or the level of risk that is satisfactory to your management team. It’s important to evaluate and be aware of the risk in your environment so you can implement appropriate controls to mitigate this risk and secure sensitive information. Evaluating risk means understanding the biggest factors of any security threat, likelihood and impact.

If you’re looking for a security partner to address your Risk Assessment needs, feel free to reach out to a Pratum Consultant at any time for more details on ways you can secure your business!

Risk Assessment Value

Whether you’re a small business trying to figure out where to start with your cybersecurity needs, or you’re a larger corporation wanting to make sure the security measures you put in place are working properly, an Information Security Risk Assessment is a great way to get a thorough look inside your organization.

Taking the time to go over possible threats is crucial in preventing issues down the road and giving your business the best chance at long-term success. Here are the basic steps of a Risk Assessment, and why this process can provide so much value to your cybersecurity program.

What is an Information Security Risk Assessment?

A Risk Assessment helps guide an organization in making rational decisions to improve security posture and align risk with acceptable tolerance levels.

What does that really mean?

Cybersecurity experts, such as Pratum Consultants, conduct a comprehensive overview of your current security measures and come up with a list of possible threats. This is based on the issues your company is likely to face. Not all organizations have the same security threats.

The Risk Assessment process helps IT departments and business owners find and evaluate risk while aligning with business objectives.

Why is it Necessary?

A Risk Assessment offers sort of a window into your organization’s security operations. The process reveals exactly where there are flaws, what’s working well, and what might not be necessary. Being able to have a certified expert go over your security posture can help you better understand things that may have been overlooked in the past.

This kind of knowledge is valuable for preventing security breaches, securing sensitive information, and reassuring clients their own data is being protected.

Not only is this important for the function of your company, information security risk assessments are also the first requirement outlined in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry – Data Security Standards (PCI-DSS) also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.

How Does the Process Work?

These are a few of the key steps during a Information Security Risk Assessment.

1. Prepare

The first step is to determine why the assessment is needed? You’ll want to figure out the information the assessment is intended to produce and the decisions it is intended to support. Knowing the goal of the process will help direct the steps taken.

You will also select a control framework. Pratum bases risk assessments off a subset of controls from NIST 800-53. Other highly regarded frameworks are the Center for Information Security (CIS) Top 20 and NIST 800-171.

2. Conduct

The objective of this step is to create a list of information security threats that can be prioritized by risk level and used to inform risk response decisions. That includes identifying any threat sources, risks, and vulnerabilities. Then the risk levels and likelihood are analyzed.

This step also includes interviews with department managers and key business personnel. The focus is on how sensitive information flows through the systems and/or applications they manage.

Here are some questions that may come up:

  • Are there any concerns with data flow models?
  • Does the information have the potential to be seen by unauthorized individuals?
  • Are there vulnerabilities within these systems that could lead to device compromise?
  • Does management have adequate visibility into the risk management program?

While risk assessments can be conducted internally, it is helpful to bring in a third party to have an independent set of eyes evaluate IT environments.

3. Review

The last step involves reviewing IT controls and using control frameworks as a guide to implement these controls in a secure manner. This is followed by communicating the information discovered and finding out how decision makers within the organization can use the information to address security risks in the future.

The Pratum Consultant will put together a report of risks at different levels for your business’s executive leadership to review.

What are those risk levels?

Low: Finding creates limited exposure for compromise of user accounts, or unauthorized access to data due to configuration issues, outdated patches and/or policy.

Moderate: Finding does not directly lead to a compromise but could be used in conjunction with other techniques to compromise accounts, or to perform unauthorized activity in the environment.

High: Finding creates a large exposure that could result in a loss of system control, access, application control, and/or exposure of customer data via the compromise of administrative accounts and/or other system functions. It could also create an issue with regards to confidentiality and/or integrity, resulting in many user accounts being compromised, or restricted system functions being accessed.

4. Repeat

A Risk Assessment is not a onetime cure-all. This process should be done on an annual basis to keep up with any new threats and potential changes within the organization.

When Should You Pursue an Information Security Risk Assessment?

There really is no wrong time to do a Risk Assessment. While it should be one of the first considerations of new businesses, it should also be part of your continual security evaluation process. Risk assessments provide immense value to organizations of all sizes, as they allow the IT department to communicate control gaps and security concerns in a language and perspective business leaders can understand.

As stated before, it is possible for an organization to conduct their own Risk Assessment. However, there are benefits to hiring a third-party consultant. Pratum has often identified areas of risk our clients were unaware of. If you’d like to find out more about conducting a Risk Assessment for your business, contact Pratum today!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.