Latest News

The Microsoft Exchange exploit: A four-step response plan

The Microsoft Exchange exploit: A four-step response plan

Arcas Risk Management managing partner and founder Robert Fitzgerald talks us through the four steps that firms must go through to assess and remedy their exposure to the recent Microsoft Exchange attacks.

Cybersecurity experts are warning that legal organisations must take no chances when identifying and remedying weaknesses that are being used in a growing number of ransomware campaigns, with hackers in particular yet to get to many of the machines hit by the recent Microsoft Exchange exploit.

Microsoft said at the start of March that it had detected multiple zero-day exploits being used to attack on-premises version of Microsoft Exchange Server. Microsoft warned that malicious actors are taking advantage of vulnerabilities to access email accounts and instal malware, with the tech giant urging its customers to patch all affected systems and proactively hunt for ‘related activity’ in their environment.

Speaking to Legal IT Insider, Robert Fitzgerald, founder and managing partner of Arcas Risk Management, said: “Right now, organisations are struggling with Microsoft Exchange. The problem is that so many legacy applications lean on the SMTP relay and other functionality of Exchange so you can’t get rid of it. We’re getting calls now from organisations asking, ‘how do we know we’re safe’, and the reality is that they are not.” Perhaps unsurprisingly, Fitzgerald has seen a significant uptick in organisations turning to Arcas’ on demand response program although he adds: “What we are seeing is that so many machines were hit with this zero-day exploit that the hackers haven’t had a chance to get round to many of them yet.”

While it’s difficult to have a sense of just how many firms are affected, Fitzgerald says every one should think of the problem in four stages:

1) Visibility

You need to understand how big the problem is and how many machines are or might have been affected. Is it one box and the hackers haven’t had a chance to get beyond that, or people and machines across your environment?

2) Security

You need to make sure that you have adequate back up, and Fitzgerald says: “Most small to mid-sized firms don’t have proper backup, which should include all client files, finance applications and emails: they should have backup for everything. Too often the back-up is encrypted or out of date.” Security also includes asking ‘what tools do we have in place to protect us from ransomware?’ Fitzgerald observes: “Ransomware is becoming the play – it’s really profitable.” If a company doesn’t have backups and the server is critical or the spread is wide, they typically pay.

3) Control

How do you start to clean up and regain ownership of your data? “That’s one of the things a lot of law firms should be doing, and multi-factor authentication is an absolute requirement,” says Fitzgerald. He adds: “I’ve worked with some very large law firms that don’t do MFA because it’s a pain the neck, which is an absolutely huge mistake.”

4) Remediation

Once firms regain control of their data, they need to continue their focus on MFA and privileged access management. Fitzgerald says: “A lot of organisations will say ‘if you’re a remote worker, you have to use MFA, but if you’re in the office, you don’t.’ That’s completely useless because you being an office workers doesn’t stop you from downloading a virus. MFA is important because it identifies who you are and where you’re at. If we see you are logged in at your computer but then we see you’re logged in somewhere else moments later, we know there’s probably a hacker.”

Fitzerald describes the four-steps with an analogy: “Imagine being a fire fighter and you see a building burning. You need to understand how it’s burning. You need to know ‘what do we have to do protect ourselves.’ And we need to know that we have place to move people to. Once they are safe, we need to isolate where the fire is. Finally, we need to bring in the fire marshal to determine how the fire started; whether there is a risk of it restarting; and start rebuilding what’s damaged. We need visibility, security, control, and remediation.”

Stay tuned for our forthcoming article on managing your supply chain risk. To sign up for bulletins and keep in touch with our news Click Here