Agency chief information officers have new marching orders to further protect their systems and networks from the Microsoft Exchange vulnerability.
By April 5, agency IT and cyber executives must run the current version of Microsoft Safety Scanner (MSERT) in full scan mode and report their results to the Cybersecurity and Infrastructure Security Agency (CISA). And then weekly, for the next four weeks, they must download and run the latest version of MSERT and only report to CISA findings that may indicate a compromise.
Additionally, by June 28, CIOs and chief information security officers must take seven steps to harden their Microsoft Exchange Server implementations, including adding firewall, identity management and other protections.
These new mandates come less than a month after CISA released its initial emergency directive. The supplemental directive, released March 31, says these additional steps are necessary despite a successful federal response to the threat.
“CISA is directing additional actions to identify compromises that may remain undetected. Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised,” CISA wrote in the supplemental. “CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening.”
Eric Goldstein, the executive assistant director for cybersecurity at CISA, told members of the House Appropriations Subcommittee on Homeland Security on March 10 that while it’s still early, there are “no civilian federal agencies that are confirmed to be compromised by this campaign.”
The supplemental guidance doesn’t insinuate any change in that perception.
Microsoft released the scanning tool March 15 to help organizations find and remove malware from Windows computers.
Most email is in the cloud
With 84% of all federal email in the cloud, according to December 2020 data on Performane.gov, this new supplemental is targeting mainly those agencies that still have Exchange server, including the Office of Personnel Management, and the departments of Energy, Treasury and Justice. It’s unclear how many small and micro agencies use on-premise email servers, but they would be an obvious audience for this directive too.
“Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity,” CISA stated.
Grant Schneider, the former federal chief information security officer and now a senior director for cybersecurity services at Venable, said while the Exchange incident has had minimal impact so far, the entire event highlights the need to modernize technology and maintain diligent security practices for shared services going forward.
“Clearly CISA has significant concerns with the security of these on-premise Microsoft Exchange environments,” he said. “Either they have continued to do research of ways to harden these environments, or they have seen an indication of exploitations and developed counter measures. Either way, they have mandated to agencies, and recommended to industry, to implement these hardening measures.”
Schneider added that a lot of these hardening measures seems like those that would fall under the cyber hygiene category.
“I’m pleased to see the focus on identity particularly in light of the fact that SolarWinds supply chain attack targeted identity and trust relationships,” Schneider said. “None of these are surprising, but they are now mandates versus just best practices. Some of these requirements showed up in various FISMA guidances over the years, but CISA is reinforcing the fact that these best practices are now becoming minimums to secure your systems.”
Those hardening measures that CISA is requiring include provisioning a firewall between the server and the internet, changing their security operations center capabilities to ensure all logs from the host operation system, Microsoft Exchange, and associated network logs are captured and stored for at least 180 days in a separate, centralized log aggregation capability — and logs are made available to and are being actively monitored by the agency SOC.
Additionally, CISA is asking those agencies participating in the Continuous Diagnostics and Mitigation (CDM) program to validate that their on-premises Exchange servers are visible to CDM information security continuous monitoring capabilities.
Agencies must report to CISA by June 28 on their efforts to meet the seven server hardening requirements.
CISA has released 15 emergency and binding operational directives since 2015.