The Microsoft Exchange vulnerability debacle, which has been reported on to extensively by The Hacker News, Krebs on Security, Threat Post, and others does not seem to be going away any time soon. Which has led me to question the wisdom of opening up these types of corporate email services to the internet in the name of ease of doing business.
Web application vulnerabilities are ubiquitous these days. Every time you turn around there is some other web application vulnerability, either related to the application itself, or the underlying framework it is running on. For most websites, regular patching and security reviews are enough to keep things relatively secure. Throw in a web application firewall (WAF) and it is even better. Unfortunately, someone blowing up your WordPress blog isn’t the same as someone getting into your corporate email system, using it to read correspondence, and pivoting to other platforms at the same time.
This begs the question, should companies be exposing these types of critical services to the internet via built-in web applications?
I think the answer should be a resounding no at this point. I understand, that this will cause people to have a harder time accessing their email. They might need to VPN into the corporate network first. Or maybe the corporate IT department will need to invest in 3rd party applications that abstract the email access so it is not done through the native email platform itself on any device not connected to the corporate network. This is absolutely possible, and I have seen it done in corporate environments with hundreds, if not thousands, of users.
Making this type of change requires investment in the right infrastructure while also educating users why these changes are being made. There will be resistance, but it can be overcome. And it is better to work through the resistance than to be mentioned in a headline on the sites mentioned previously.
The moral of the story? Know your risk appetite, If you can’t stomach your email system being compromised, don’t expose the mailbox web access platform to the public internet. Look at all of your other web facing applications the same way. If you can’t imagine dealing with a breach for them, lock them down and put them behind hardened defenses.