What was so striking to Microsoft’s president about SolarWinds and Exchange Server attacks?

Basic cybersecurity concepts could have prevented or at least substantially reduced the risk of being penetrated during the recent SolarWinds or Microsoft Exchange Server incidents. Microsoft president Brad Smith listed six things that every business should do to mitigate the risk of cyberattacks.

A single package of code can cause disproportionate damage, Smith said during the Cipher Brief webinar this week.

“When you think about the nuclear weapon, it changed the impact of a single bomb and what it could do to the world. When you think about terrorism, it changed the impact of a single individual and what that person could mean for the safety of a community. And then, if you think about where we are today, well, now it is about code. In some ways, we are thinking and seeing about what a single package of code can do in a disproportionate way. All three things have one thing in common – a single tip of a spear, so to speak, can have this disproportionate adverse impact on the safety and security of our country. I think that sort of frames the challenge that we need to be thinking about now,” he said.

According to him, we need to prepare for more potential cyber-attacks. A relatively small number of nation-states are currently engaging in aggressive actions. Smith named Russia, China, Iran, and North Korea. However, cyber proliferation could potentially accelerate, especially with the ability of governments to buy cyber tools or cyber weapons.

“It is not a bad idea to start asking ourselves by what is it, for example, about the recent incident with SolarWinds that was different? I would say, two things. One is it was a very broad-based intrusion into the software supply chain. Obviously, what they were successful in doing, was planting malware into a software update that went potentially to 38,000 customers around the world. As it turns out, it was downloaded by 18,000 customers or so. The world we are going to see probably has half a billion apps created in the next three years, that’s a lot of potential points of vulnerability,” Smith said.

The second thing that was so special about SolarWinds is that it “really was an extraordinary array of engineering processes and expertise then thrown at the use of this malware to pursue espionage against specific targets”.

According to Microsoft’s president, companies, especially small or mid-sized ones, are better off running their servers on a cloud – relying on Microsoft, AWS, Google, or other companies with dedicated and competent teams of engineers always protecting cybersecurity.

“I think you are better off using cloud resources of others rather than in effect building your own through on-prem technology. And then it comes down to a relatively short list of cyber best practices,” he said.

Smith said that anybody could learn the basic cybersecurity concepts that would substantially limit the risk of potential attacks.

“One of the things that was so striking to us in reviewing the 60 victims that we saw among our customers for SolarWinds of this recent Hafnium attack, is that there are six things that basically would have either prevented or mitigated risks substantially,” Smith said.

What are they?

“It’s ongoing patching, using multi-factor authentication, using anti-malware software, basically time-down your devices and authenticating your devices, it’s really managing the credentials, especially of the people who have elevated privileges, your network administrators, and storing their credentials and passwords either securely on a hardware key or in a cloud, but not on a server itself, which can be penetrated. Finally, it’s this concept of least privileged access, meaning give a network administrator the access to the services they need to do their job and no more,” he said.

Recently, The CyberNews investigation team found 62,174 potentially vulnerable unpatched Microsoft Exchange Servers. The vulnerability is still being actively exploited, most famously by the China-linked malicious actors. Brandon Wales, the acting CISA (the Cybersecurity and Infrastructure Security Agency) director, warned that patched systems might have already been compromised if hackers breached them before they were updated.

“You should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that,” he said.