As we pass the halfway mark on 2022, known vulnerabilities continue haunting companies who’ve been slow to patch and update. So, when you’re given advanced warning of future problems – such as with Microsoft Exchange Server 2013 – you need to take advantage of it and prepare. But, more on that later.
While regular readers of this blog are (hopefully) fully up-to-date, mergers and new vendors often hide unpleasant IT surprises.
As we move forward into the second half of the year, take a few minutes to reflect on where your security stands, and what issues might remain. It’s a time to resolve to be immune to old problems and prepare for new challenges ahead.
Where does your cybersecurity stand?
The Pain of Known Vulnerabilities
While reminders to update and patch known vulnerabilities abound, those who actually keep their systems up-to-date remain in the minority. And, it remains a huge problem.
Researchers found that 82% of successful attacks on organizations in Q1 of 2022 occurred when attackers exploited known vulnerabilities.
Not only are unpatched systems more commonly attacked, but the damage tends to be worse, as well. In fact, attacks exploiting known vulnerabilities cost 54% more in damage and recovery expenses than attacks resulting from employee mistakes.
The Cybersecurity and Infrastructure Security Agency (CISA) warned that unpatched VMware Horizon and Unified Access Gateway servers were under active attack against Log4Shell vulnerabilities.
Patches to address the issue have been available for several months, so if you haven’t corrected yours, now is the time.
In addition, many attackers still find Microsoft Exchange servers vulnerable to ProxyShell and ProxyLogon attacks – even though patches were issued months ago.
If you fall victim through one of these older issues, you could be in for even more unwelcome surprises. Unmitigated issues that old can trigger negligence claims from your cybersecurity insurer or during data breach lawsuits.
Now is a good time for a reminder: even unpatched, many of these attacks could have been prevented by implementing multi-factor authentication (MFA).
Bye-Bye Microsoft Exchange Server 2013
If you use Microsoft Exchange Server 2013, you should probably start making some transition plans.
There are only 9 months of support left for the platform, which reaches end-of-life on April 11, 2023. For some Microsoft Exchange 2013 owners, this is an opportunity to consider a move to cloud-based Microsoft 365, while others will want to upgrade their local server.
Choices currently remain limited for upgrades. While Exchange Server 2016 remains available, you’ll probably want to upgrade to Exchange Server 2019. A newer version of Exchange isn’t due for release until 2025.
A third option for transition is Microsoft’s Exchange cloud email platform. This is essentially just the Exchange portion of Office 365, but it allows you to migrate only your Exchange functions, leaving the rest of your licenses as-is.
If you remain undecided, Microsoft Exchange 2013 will continue to function past next April. But, know that running it past the deadline poses significant risks to your organization.
Considering the large number of attacks and known vulnerabilities for on-site Exchange installations, your IT managers should begin investigating upgrade options immediately.
By starting now, IT managers can explore multiple options, perform testing, and execute a transition period with ease. Waiting until the last-minute leads to higher costs, rushed implementations, and the potential for business disruption and misconfiguration issues.
Exchange Cloud Credentials Requirements Change
If you’ve already moved to cloud-hosted versions of Microsoft Exchange, CISA recommends an immediate discontinuation and blocking of Basic Authentication (aka: Basic Auth).
Basic Auth uses unencrypted HTTP, meaning attackers can intercept plain-text credentials sent to servers, endpoints, or online services. It’s also vulnerable to password spray attacks.
Making the situation even more difficult, Basic Auth does not work well with MFA.
Instead, government agencies must use Modern Authorization (AKA: Modern Auth). And, though not legally required to use it, private sector companies are strongly encouraged to, as well.
Modern Auth is a combination of Active Directory Authentication Library and OAuth 2.0, which uses tokens for authentication. The tokens have limited lifetimes and cannot be used on other resources or after they expire.
While currently only a recommendation for the private sector, Microsoft also announced they will disable Basic Auth for randomly selected tenants starting October 1, 2022.
Extensions will not be available, so customers should start making preparations now, before the chaos of a forced transition.
Avoiding Problems Old and New
There’s no reason to remain exposed to old vulnerabilities, stick with obsolete software, or wait until the last second to make infrastructure transitions.
Not only does it put your business at risk of attack, you also risk forfeiting the right to any cyber-insurance claims.
Updating and patching known vulnerabilities remains one of the easiest, least expensive, and most effective ways to keep your business safe from attacks.
With that said, we understand keeping up with the latest news and updates can feel like an overwhelming task. Fortunately, there’s no reason you need to go it alone.
Outsourcing can help your team understand their options well and execute transitions quickly.
Simply contact us at 412-349-6680, or fill out the form below, for a no-obligation consultation about any outstanding issues within your organization.
Our experts can outline short-term and long-term options to detect existing vulnerabilities, patch systems, mitigate un-patchable vulnerabilities, upgrade Exchange servers, transition to Modern Auth, and much more.