Because of that one cobbled together system, or old network MFP that sends to mail, that's needed for a whole bunch of stuff, can't authenticate, and someone decided it's too expensive to replace for such a small attack surface. Until the problem costs more than the solution large organizations don't move by design. This is usually officially the benchmark: what costs more.
In my experience, there’s a random server that nobody knows who maintains it offhand, including the person who maintains it. People ask, and it just doesn’t go anywhere. Until something like this happens. It’s nothing to do with costs, its just an oversight
> there’s a random server that nobody knows who maintains it offhand, including the person who maintains it
It makes no sense that you'd keep an insecure service because you forgot someone needs it. You turn it off and the reminder will promptly come to you. After this it's a decision, not oversight.
> It’s nothing to do with costs, its just an oversight
The article suggests that their internal unauthenticated SMTP was there by design, not oversight, together with an authenticated (presumably external) one. Some assessment deemed addressing the risk from the unauthenticated internal one not worth the cost and effort.
> People connecting through our VPN have access to an internal-only SMTP gateway machine that doesn't require SMTP authentication [...] previous phish spammers have exploited some combination of webmail and authenticated SMTP.
> It makes no sense that you'd keep an insecure service because you forgot someone needs it. You turn it off and the reminder will promptly come to you. After this it's a decision, not oversight.
You’re assuming an org that had a policy my in place for this which was followed all along, and not that it’s a piecemeal service barely held together by dreams and prayers. My experience with university It departments is there’s an _incredible_ amount of “dunno who that belongs to but don’t touch it because it might be important” going on.
> there’s an _incredible_ amount of “dunno who that belongs to but don’t touch it because it might be important”
Right, so not an oversight, but a decision not to touch the obscure system. Decisions with bad outcome aren't oversight unless you want to downplay them when justifying yourself.
Your SMTP gateway is never "that" system that nobody knows about. You must know who owns and manages it, you know you have to secure it (minimal measures like... authentication) so you don't get unceremoniously penetrated. And if you do it you may or may not realize that something will fail because of the extra security.
If you know that "one cobbled together system, or old network MFP" I was mentioning earlier will fail when you enforce authenticated SMTP, because it's too old and replacing it is $$$, or too arcane and bringing an expert is $$$ then you will take an informed decision whether to proceed with your security hardening or not.
If you have no idea something will fail (you didn't catch it in the dry runs) if you enforce authenticated SMTP, you just do it and if someone comes in a frenzy to tell you that the old and arcane system is down then you revert the change. Now on you're in the informed decision scenario from above.
This is not a minor omission. Leaving a glaring insecurity like this open by oversight isn't what the article suggests happened, and it almost never never the case. It's not something that "just happens", it's something that people meet to discuss about and decide to ignore it maybe for reasons that look good at the time. This is the essence of risk taking. But it's a decision nonetheless.
1. Carefully establish the one critical data flow the whole business depends on. It may cost some time, but this one you have to protect by all means, so stakeholders won't mind.
2. As for the rest, take them down one by one and see what breaks. Got a call to internal support hotline? "Ooops, sorry, we will turn it on and let's chat about it soon."
There can be a few announcements in advance to shift the blame before (2): "Declare yourself or face consequences" (ChatGPT will write a nicer email). If you are on good terms with CFO, the noise won't matter. In fact, many people will thank you, when their weird stuff is taken over for care by IT.
