Another major cyber issue is making the rounds this week – the Microsoft Exchange vulnerabilities published last week. The issue is the known exploitation of a set of unpublished vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-26858). These vulnerabilities are being used to attack on-premises versions of Microsoft Exchange Server. They can be used to access email accounts, as well as allowing your exchange server to host malware that facilitates other advanced persistent attacks. Tens of thousands of MS Exchange Server customers are at risk.
From a cyber attack perspective the relationship between this attack and last year’s Solarwinds attack couldn’t be more different. But from a cyber defense perspective, they couldn’t be more similar…
Both the Solarwinds and Exchange attack are on 3rd party (Supply Chain) servers in organizations. It is impossible for any organization to actually protect themselves against these attacks before they were exploited. In the standard mitigation view – these types of attacks prove you cannot perfectly protect yourself against attack. Therefor you need to focus on the respond and recover phases of the NIST cyber security framework. This highlights the difference between a risk management approach to cyber security vs. a standard mitigation view of cyber security. A risk management approach takes into account that you can’t protect yourself – but you can lower the risk of being harmed from such an attack:
- Minimize impact of the attack
- Minimize exposure to the attack (i.e., minimize the probability a successful attack)
As I wrote in an earlier post on supply chains risks – risk (attack and threat) scenarios are the way to predict and prioritize potential attacks. Automating risk scenarios enables organizations to get an overall assessment of their actual cyber risk, appropriate remediation evaluation – and the insight on how to deploy resources accordingly. This is very different to the standard, simplistic “checklist” approaches to supply chain risk management. Both Solarwinds and Microsoft could pass any standard “trusted provider checklist” with flying colors no matter how detailed. Not that you shouldn’t do these types of supply chain assessments – but realize that they will only lower the perceived risk from using incompetent vendors – not the risk of an actual supply chain attack.
The interesting part is that automated risk scenarios aren’t just about risk management of supply chain attacks – they can be used to for operational risk management all proactive cyber defneses – from simple to complex.