That’s the approximate number of organizations hacked due to the Microsoft Exchange Server exploit, according to KrebsOnSecurity, including small business, banks, hospitals, government organizations and even Multinational Corporations. The vulnerability enabled hackers to gain access to emails, unencrypted passwords and entire servers leaving organizations across the world searching for ways to take back control of their (and their customers’) data. This could have been preventing using a simple tool - patching.
Firstly, what happened?
Hackers are constantly prodding software we use daily, from Slack to Microsoft Word to even the Windows and Mac Operating Systems, searching for easily to access ‘holes’. Sometimes hackers get lucky and find gapes (vulnerabilities) just big enough to squeeze through and gain access to your machine, its files and even its webcam. When Slack Inc., Microsoft or Apple discover these vulnerabilities, they scramble to remediate the problem, issuing software patches to close the gap, securing your device and protecting your data.
In early 2021, four crippling security vulnerabilities were discovered in Microsoft Exchange Servers, giving hackers access to the entire server, including emails, unencrypted passwords and personal information (source). Hackers were actively exploiting these vulnerabilities in as many organizations as possible, stealing confidential data, locking servers and holding them ransom. In some incidence they used their access to send malicious emails on the victims’ behalf (source). What’s more, once these vulnerabilities were discovered and published on the internet, anyone with a computer and an internet connection could see how the gaps were exploitable. This meant that they too could hack these servers, creating a cascade effect and drastically increasing the likelihood of compromise.
The Exchange hack rocked the cybersecurity field. Organisations of different sizes and domains were all getting attacked unilaterally. Headlines filled the news with titles like “European Banking Authority (EBA) hit by Microsoft Exchange Hack” (source) and even “New Cyberattack on Norwegian Parliament” (source). The Norwegian Parliament confirmed their files and emails had been compromised and exfiltrated, creating a significant data breach. Given the sensitivity of the data involved, the EBA resolved to effectively shut down its entire email system as it assessed the damage. Despite the costs involved and the disruption to operations resulting from temporary closure of systems, these large scale organisations had capacity to deal with these attacks. With near limitless funds to support Disaster Recovery processes and access to the best cyber experts to support them, these organisations benefited from minimum downtime. Frustrating as it may be, these types of organisation could and would survive these types of attacks.
The story for small and medium businesses (SME) attacked using the same vulnerability has a very different outcome. While the Exchange hack attacked ubiquitously, the impact was greater for SMEs. Often, smaller businesses fail to fully appreciate investment in cybersecurity and as a result are under resourced to protect again cyber-attacks. The American Securities and Exchange Commission detailed in 2015 how “half of small businesses that suffer a cyberattack go out of business within six months”. With 43% of online attacks now targeted at small businesses, the outcomes look bleak (source).
The Solution?
While there are many layers to cybersecurity, one of the most cost effective solutions that all businesses can adopt is Patching (source). Patching is fancy way of saying “Update your machines regularly and systematically”.
When vendors like Microsoft discover vulnerabilities in the products, they send out fixes to “patch” the hole made by hackers. These fixes are sent out in the form of system / app updates. So those pesky “Software update available” that you always click “apply later” on, well they’re trying to keep you safe from bad actors. Best of all, these patches are issued free of charge by the software producer.
The problem is too many people follow the flawed “apply later” ethos. The longer the systems stay unpatched, the more vulnerabilities they accrue and the weaker your system becomes. A typically tell tail sign if the ‘update pending’ reminder on your device. When large number of patches are outstanding, some software may continuously crashing, simply because its lacking some important updates.
Many small businesses naively believe that they are simply ‘too small to be of interest’ to hackers. In reality, small businesses are the most appealing target to hackers. This is because they often don’t have the resources for a dedicated cybersecurity team and rarely patch their machines. The most effective solution is to have a patch management system in place
Setting up a patch management system
- Clarify your goal. “To routinely and systematically check for, test and apply new software updates” sounds like a reasonable place to start.
- Take stock of all your assets. It’s all well and good updating all the machines you know you have, but if the long-forgotten Server is sitting plugged in the corner gather dust and missing updates, all your efforts will have been wasted. Make a list of every server, machine, router and internet-connected device you have.
- Write down your plan. Understand that most software developers have set days to release patches. (E.G. Microsoft releases on Patch Tuesday). Use this information, as well as your own business’s habits to decide when to apply relevant patches. For desktops, for example, may need consistent patching on the weekend, when they’re not in use. For bigger machines like servers, may require more manual patching on a more infrequent basis. That way more time is given to test out the new patches and ensure business continuity. A plan as simple as “I do all my patching first thing on our quiet Monday mornings” is a perfectly reasonable place to start.
- Test out patches. Patches could cause crucial software to behave differently, affecting business continuity. It’s vital to test out the software to ensure there’s minimal disruption.
- Roll out patches. Once you’re happy with the testing of the software updates, you can safely begin to apply them onto their respective software, ensuring to monitor the machines for unexpected changes.
- Review, Analyse and Improve. It’s no easy task following this process. It takes time. But making this a part of the standard business process will keep you as safe as possible.
While this process seems lengthy and complicated (it is easier than it seems ), there are software available to help ease the process along. Software such as Syxsense Manage or Pulseway, help to automate the process, significantly reducing the time requirements for Patch Management.
Surely, my IT provider takes care of Patch Management?
Many businesses opt to outsource their IT support to a local company. If this is the case, it is important not to assume that they have all the correct systems in place. We would advise a quick call to check in with your IT provider or Managed Service Provider to establish who is responsible for updating your computer environment and what methods they’re using to ensure your maximum safety. It is best to have these conversations proactively, rather than an awkward discourse following a cyber-attack that could easily have been prevented.
Did you know that a security audit can reveal if your patch management system is effective? Contact our team of trusted cyber professionals to discuss the value of a security audit.
Author: Leo Camacho / “Hundreds of Thousands”.