This content is part of the Essential Guide: Secure email servers on Exchange, Office 365 or both
Manage Learn to apply best practices and optimize your operations.

Security survey shows Exchange as a sitting duck for attacks

Securing your Exchange setup is vital to keep your business up and running. However, recent security reviews show there's room for improvement.

Even though it's a new year, admins are met with some of the same security challenges. A number of studies from organizations, such as Cisco and Verizon, underscore the effect security has on the well-being of businesses of all sizes. How much does this matter to an Exchange administrator? It means everything.

Security impacts the confidentiality, integrity and availability of a messaging environment. If messaging system resiliency is the name of the game, it pays to be informed so you can fix the basics and not make the same security mistakes year after year.

If you're responsible for maintaining the security, availability and overall resiliency of Exchange in your organization, there are four main points from one recent survey that apply to you.

  • Most organizations don't have an inkling of a clue about where sensitive information resides. Such data is pervasive in Exchange environments and deserves more attention. Some tools to help could include data loss protection from Symantec or Proofpoint and cloud security software from Skyhigh Networks and Netskope.
  • Exchange is often a core application on mobile devices, and the mobile platform is ripe for attacks that unnecessarily expose Exchange. Many organizations lack any BYOD-related technical controls to facilitate the secure use of mobile devices. Using a mobile device management option or other related options such as MaaS360 or ZixOne can get you the most bang for your buck in the mobile realm.
  • Network environments often have an extremely immature patch-management process. As isolated and unused (for local users) as they may seem, servers -- regardless of functionality -- need to be patched.
  • Many security vulnerability assessments reveal that the majority of organizations don't have an incident-response plan. If they do, these plans are often woefully inadequate. At a minimum, have a plan that spells out what constitutes an incident, which security and monitoring controls you have in place, and who you're going to call for help when the going gets rough.

Wisdom has taught us that these types of security challenges are creating the very issues organizations struggle with year after year. These challenges don't affect just one specific group; this is a broad, diverse group of businesses and government agencies that you don't want to be a part of.

For Exchange admins, this means that you need to treat Exchange as a critical business system. It's no doubt a target in your environment. The last thing you need is to overlook a relatively petty security flaw or, just as bad, get caught off guard and unprepared once an incident occurs.

Make it a priority to ensure your Exchange systems and data are locked down from the deployment phase to the general maintenance phase. This can be done by including them in your security standards, policies and incident response plan. Even as legacy Exchange systems are being phased out and hardware is being commissioned or disposed of, or if you're upgrading or moving to the cloud, you must treat these systems with the highest regard.

Look past security documentation and ensure Exchange audit logging, related Group Policy Objects and secondary messaging security controls such as spam, firewalls and cloud email filtering tie in. Ongoing security vulnerability assessments and penetration tests of your Exchange systems are an absolute must as well.

At the end of the day, you cannot secure what you don't acknowledge. If you're overlooking some of these essentials, you will no doubt have risks in your Exchange environment that need attention.

About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. Kevin can be reached at and you can follow him on Twitter, watch him on YouTube and connect to him on LinkedIn.

Dig Deeper on Exchange Server setup and troubleshooting