What to consider after running patches for the Exchange Server hack

3 min read

More updates are trickling in daily about the latest Microsoft Exchange Server hack by the Hafnium group in China, which resulted in four zero-day attacks already impacting hundreds of thousands of customers worldwide. Companies are scrambling to install the security patches and mitigate the damage already caused by this large scale hack.

Reports on March 12 suggested that over 98,000 servers were still running unpatched software. That same day, the UK’s National Cyber Security Centre (NCSC) reported that there are between 7,000 and 8,000 vulnerable servers in the UK, and almost half of them needed to be patched at the time.

The breach affected the Microsoft Exchange Server 2013, 2016 and 2019 versions, including older versions that are no longer supported, although the tech giant made an unusual exception of making security patches available for those versions too, due to the seriousness and scale of the hack.

What to do if your company is affected by the Exchange Server hack

Running the emergency patches alone will not be sufficient in many cases, because the hackers have already penetrated thousands of systems and are continuing to do so. That’s why you should take more precautions by also doing the following:

  1. Thoroughly check your system while ensuring adequate backups are in place

  2. Reset all passwords and user data

  3. If you detect a breach, report it to law enforcement and your national data protection authority

  4. Restore or redesign your system

  5. Look at tools that can help mitigate data protection risks going forward, such as email data protection solutions like Zivver

More attacks will come, but sensitive data can be safeguarded

Benjamin Franklin once famously said that “in this world, nothing is certain except death and taxes”. Well, you can add hacking attempts to that short list, because it’s really not a question of whether they will occur, but about how often and severe.

In fact, the Hafnium group attack is the eighth time in the last twelve months that Microsoft has publicly accused nation-state groups of targeting public and private sector institutions, the next one to hit is probably just a few news cycles away.

When looking at additional ways to safeguard your sensitive data, some are inclined to think that Big Tech is the most secure option, but what happens if your solution provider can inadvertently put your data at risk?

How to prevent access by vendors and other third parties

Many people have a false sense of security when it comes to data protection and believe that if data is encrypted no unauthorized people can access it. Unfortunately, basic encryption solutions are simply not enough anymore to effectively protect sensitive information against sophisticated attacks.

Most organizations don’t want third parties to be able to access their data. That’s why they often ask vendors: ‘Do you encrypt my data?’. The answer to that question is usually yes. This is actually not the right question to ask, as encryption is often not the primary concern and many solutions will provide some form of encryption.

It is, however, essential to understand what happens with regards to key management -- who holds access to your organization’s keys and thus to the data (as they will be able to decrypt the data)? The question to ask should therefore be: ‘do you encrypt my data and can you ensure that only my organization and my recipients have the key to decrypt the data?’ The ideal outcome is that only those that you want to have a specific key can have access to (part of) your data and no one else.

The common answer to that question, however, is unfortunately almost always ‘No’, which makes the solutions provided by those vendors:

  • Vulnerable to insider threats. Employees that develop or manage the system and usually those helping clients have (indirect) access to the keys and thus the data. We know the impact of this risk since the Twitter hack.

  • Attractive to hackers. As there is often a single place where the keys to a lot of sensitive data is stored.

  • Subjective to governmental data requests. As keys are available to the vendors, they can (and must in some countries) decrypt and share your data with governmental organizations upon request, without your involvement. With the invalidation of Privacy Shield last year, this should be of particular concern to more companies.

As a result, really improving your email data security requires preventing access by vendors and other third parties like hackers and government agencies. This means using solutions such as Zivver that don't retain access to your keys or the keys of the people you shared data with. This minimizes the risk of your sensitive information inadvertently ending up in the wrong hands, providing an enhanced level of protection.

Want to learn more about email data protection solutions and how they work?

Check out our recent webinar hosted by Scott Daly.

In it he explains the need for people to re-evaluate their email security, and gives you nine reasons why you should.

You can watch it now here.



Written by

Kate O'Neill

Originally published on March 19, 2021

Last update on March 31, 2021