When I saw a recent Wall Street Journal article about how the U.S. State Department can't beat hackers, I immediately...
thought to myself, of course they can't. The federal government can posture with its regulations and cybersecurity initiatives all it wants, but there's typically no stopping a determined adversary in a phishing hack. This is especially true when it's an individual or a group of people looking to gather intelligence, trade secrets or other sensitive information that has considerable market value.
People familiar with the investigation into the State Department cyber attacks said that the federal government still hasn't been able to kick off attackers from the State Department's network, even though the hackers' presence was confirmed over three months prior. This is not particularly surprising. Once an attacker is able to gain a foothold in an Exchange environment through a phishing hack -- or anywhere on a network -- all bets are off. It's not all that different from how cancer can invade the body and be relentless in its attack.
A phishing attack that led to an infection via malware -- allegedly linked to the Russian government -- is believed to be the cause of this particular intrusion at the State Department. It is proof that despite Exchange admins thinking they have implemented all necessary policies and seemingly have the most effective technical security controls in the world at their disposal, all it takes for an environment to be infected is one click by one unsuspecting end user.
Granted, this was an attack against the U.S. federal government and their Exchange admins may be in a different situation. That said, the situation in a private organization can be equally dire if an outside party is able to successfully carry out a similar type of breach. Unfortunately, most organ izations are more vulnerable than they think they are. For example, as part of a recent security assessment in my work, I performed a phishing test against a few hundred end users and achieved a whopping 72% success rate -- or failure rate, depending on how someone looks at it. If an organization's Exchange-related security ducks are not in a row, something similar could just as easily happen to them.
Regardless of what line of work Exchange admins are in, they need to be thinking about how such an attack could impact their organizations. They need to understand what "bad" means in terms of Exchange-related security breaches and then decide how they will defend and respond to them. As it turned out, the breach of the U.S. State Department was limited only to unclassified emails, but that's not really the point. It only takes a few bits and pieces of sensitive data taken from one email or another for an outsider to piece together information that can be used against an organization. On the other hand, the offender could even be someone inside your network who's conspiring against the organization. Both types of attacks are equally harmful.
Exchange security takeaways from the State Department attacks
Starting today, Exchange administrators should do something to help enrich their organizations' security programs against potential phishing hacks, because if this type of breach can happen in the U.S. State Department, it can happen anywhere.
It pays to be vigilant and to know one's Exchange environment inside and out. Implementing necessary and proper security controls in and around messaging systems can be a big help. It pays for Exchange admins to minimize the complexity of their organizations' networks. They also should install proven antimalware protection, including Web and cloud filtering and whitelisting controls. Additionally, they must consistently monitor network environments for any kind of security anomalies or potential intrusions. Training end users about the possible ways attackers could gain access and then periodically testing them to see how well prepared they are in the event of such attacks is also an effective preventative measure. Finally, and most importantly, admins should have a plan in place in the event of a successful breach to minimize the potential negative impact on their businesses.
Protect end users from phishing scams
Three reasons why phishing attacks are popular
A primer to protect against phishing