Cybersecurity Lessons From The Microsoft SharePoint Hack

Pythia Cybersecurity co-founder, John Sebes, has some thoughts about the Microsoft SharePoint hack that we reported on last week in the 'litany of the hacked.'

You can contact us to talk with John at greater length and about your specific issue.

Here is John's perspective on this hack:

The latest massive cyber-attack is broad and dire, but has important cybersecurity lessons for everyone: how to avoid doom and gloom, and focus high-value to-dos that everyone should do -- especially important for smaller companies whose leadership's lack of focus on security is based on inaccurate beliefs about the low likelihood and being targeted by cyber-criminals. In fact, everyone is a target, and the SharePoint incident shows why.

In this case, the companies that are vulnerable are those that run Microsoft SharePoint, a very commonly used system for people across a company to share documents and many kinds of files. The vulnerability was discovered by cyber-attackers first (called a "zero-day attack"), and as a result the vulnerability applies to every instance of SharePoint on a corporate network connected to Internet. During the three days that it took for a security patch to arrive, there was ample time for attackers to permanently compromise every available self-hosted instance of SharePoint on the planet.

To get to the doom and gloom, and then beyond it, focus on those two key words: permanent, and every. This attack's results are permanent because it uses several techniques that ensure the attacker retains access to the target system, even after the security patch has been applied: the attackers' access is persistent. Every vulnerable system is a target, even if someone at a target company thinks that they are not a valuable target to attackers. It is not like attackers are sitting around reviewing some list of target and choosing the good ones, then rolling up the sleeves to attack them. Instead, identifying targets and performing the attack are automated. If you're vulnerable, you're hacked. Microsoft's guidance on this attack was blunt: if you have SharePoint on your corporate network connected to the Internet, you should assume that you've been compromised, and act accordingly.

The only question for vulnerable companies is when and how the attackers will use the access to monetize it, either through extortion, or stealing data that they can sell, or selling the access to other adversaries who can then monetize it.

What does this incident have to offer in the way of useful lessons going forward? Preparedness is one, and so is overcoming a common (and potential very expensive) misperception: that preparedness is expensive or difficult. In fact, any organization, even those without dedicated security staff or budget, can and should put together an incident response plan based on a simple self-assessment to decide what's really important to protect and detect. Sadly, some organizations do recognize the basic situation -- if you become vulnerable, you will be hacked -- but take no action because they think that they lack the skills. That's nearly always wrong. They might need some outside assistance to structure the assessment and codify a plan, but the cost and effort need not be either large, or beyond the capabilities of existing staff to manage going forward.

So, whether or not you use SharePoint and have done a post facto response, you can and should create your team's ability to respond to the next cybersecurity vulnerability.