Cyber Resilience

Microsoft Exchange, SolarWinds, Verkada Breaches: Why Security Hygiene is More Important Than Ever

We are only a few months into 2021, and we’ve already had three headline cyber incidents: the SolarWinds Orion compromise, the attacks targeting zero-day vulnerabilities in Microsoft Exchange, and the Verkada hack (the impact of which we may not be able to fully comprehend for a while yet). These events remind us of the now well-worn security belief that a breach is inevitable. What ultimately matters is how much individuals and organisations can limit the impact of a breach and how important basic security hygiene is during a time of crisis.

Security hygiene is healthy security behaviours amplified through the implementation of supporting processes and technical controls. Thinking about the lifecycle of an attack – from recon through initial compromise and post-compromise activities – a target organisation’s continued investment in security hygiene makes it more challenging for an attacker to achieve their objectives by keeping them from target data and raising the chances of detection.

Looking at the three headline incidents mentioned in the context of security hygiene, we can identify areas that offer room for better care.

Verkada breach

Attackers were able to bypass privileged account management processes to acquire “super user” access to cameras across multiple customer sites. Further, customers that did not effectively segment cameras from the rest of their corporate network left open the opportunity for attackers to move laterally and compromise other assets.

Where good hygiene could have helped: improved overall account management that implemented role-based access control (RBAC) with least privilege across the board and leveraged MFA on highly privileged accounts, as well as lateral movement control and detection.

Exchange zero-day vulnerabilities

The existence of multiple unpatched vulnerabilities allowed for both the unauthenticated exfiltration of mailbox content and the upload of webshells to facilitate persistence and lateral movement.

Where good hygiene could have helped: blocking unnecessary traffic to/from Exchange servers, monitoring account creation and group management events, monitoring the outbound connection attempts to/from unknown destinations, and centralized collection of Windows events and IIS server logs.

SolarWinds Orion compromise

The compromise of a vendor’s packaging process allowed for the delivery of a software update containing a Trojan backdoor that granted attackers direct access to customers running Orion; attackers then leveraged privileged access (granted by the Orion Platform) to penetrate further into the target network.

Where good hygiene could have helped: blocking unnecessary traffic from SolarWinds Orion NPM servers to the Internet and monitoring accounts granted least privilege.

Improve cyber hygiene with micro-segmentation

This list shows us that basic security hygiene can be beneficial even when nation-states are the presumed attackers. These straightforward practices serve to push the antagonists into the open, increasing the chance that alarm bells will ring and the incident can be contained.

Typically, some technology implementations to achieve cyber hygiene may be more complex and take longer than others. For example, full implementation of privileged access management technology at scale in a global network may take significantly longer than deploying host-based microsegmentation, which does not require any network changes or re-architecture on the hosts and workloads.

In this case, the microsegmentation control, being quicker to deploy and also highly effective, is both an essential lateral movement prevention control and a compensating control while the privilege management deployment is ongoing.

Illumio’s microsegmentation solution helps improve cyber hygiene by providing:

  • Significantly enhanced visibility into data centre traffic flows and further data to assist with detecting unauthorised lateral movement.
  • Microsegmentation policies to limit the exposure into and out of your most critical assets. In the case of Exchange, this includes following Microsoft’s own best practice of locking down access to only necessary ports. See the Microsoft Security Blog for more information.

The bottom line is that organizations are often unaware of vulnerabilities that cause breaches. Focusing on what you can control – like good security hygiene – will result in a stronger organizational security posture. The recent headline-making cyberattacks further highlight the need to adopt Zero Trust principles to limit lateral movement and achieve better breach control.

To learn more about how microsegmentation helps improve monitoring and protection of Exchange and other critical infrastructure, check out:

Related topics

No items found.

Related articles

A Call for Cyber Resilience and Zero Trust: Illumio Month in Review
Cyber Resilience

A Call for Cyber Resilience and Zero Trust: Illumio Month in Review

The start of 2022 has brought into focus the heightened priority of Zero Trust security in today’s cyber landscape. Many organizations are facing further complexity in their networks as flexible work options evolve, and a volatile geopolitical landscape has led to an exponential rise in international ransomware attacks and breaches.

Zero Trust Security, New NIS2 Directive, and Illumio Partnerships
Cyber Resilience

Zero Trust Security, New NIS2 Directive, and Illumio Partnerships

Traditional security tools alone aren't able to protect hybrid networks against today's sophisticated cyberattacks. Organizations and government agencies alike are waking up to this reality, making Zero Trust security a top priority this year.

Join Illumio for HIMSS 2023 in Chicago
Cyber Resilience

Join Illumio for HIMSS 2023 in Chicago

An invitation to join Illumio at HIMSS 2023 in Chicago to network, socialize, and meet healthcare security experts while at the conference.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?