by Carl Cadregari, Executive Vice President, FoxPointe Solutions
Regardless of the industry in which they operate, organizations have likely witnessed the wave of destructive MOVEit breaches sweeping the globe during recent months. As a result, many organizations may be left wondering what they need to understand about the MOVEit hack and how they can guard against such attacks.
Understanding the MOVEit Hack
Before they can effectively fortify their organizations against the MOVEit hack, cybersecurity professionals must first understand the origins of these breaches. MOVEit, a managed file-transfer software product, is often used by healthcare, government, financial service, and educational organizations to encrypt and distribute large amounts of sensitive data. Due to a vulnerability within the software, a wave of harmful cyberattacks and data breaches began in May 2023. This vulnerability allowed attackers to access MOVEit’s database and steal files from systems through SQL injection. According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the MOVEit breaches were conducted by Clop, a Russian-speaking cybercriminal group. As of August, more than 600 organizations worldwide have fallen victim to MOVEit breaches—affecting more than 40 million individuals. Thankfully, a software patch is now available and can help protect organizations from exploitation.
Guarding against MOVEit Breaches
As organizations seek to protect themselves against the MOVEit hack and other breaches, it is critical for them to understand that they will inevitably become the target of a data attack—it is truly just a matter of how and when. Attackers and attacks can stem from a variety of sources including external threat actors, such as Clop, internal disgruntled staff, or even within the supply chain. As a result, every organization should be focused on building a secure data-protection infrastructure. All known or suspected attack vectors, as well as the status of the controls required to reasonably protect the organization, need to be a part of every organization’s risk-management consideration today.
Conducting a Risk Assessment
One of the best places to start is to have a thorough, accurate, and unbiased cyber-risk assessment performed, even if there is no law or regulation requiring the organization to complete one. Management cannot act or make cyber- and data-protection decisions effectively without reasonable information drawn from these types of documented assessments.
Before conducting a risk assessment, an organization must first identify its data sets and determine what requires protection. It’s important to note that even if an organization doesn’t have protected client data (health information, credit cards, SSN, etc.), it still likely possesses protected employee information (SSN, 401(k)/403(b), banking, etc.).
Next, organizations must assess which laws and standards apply to their data sets. Both client data and employee data require protection based on federal, state, and sometimes local cybersecurity and privacy laws. This will define what type of risk assessment needs to be performed.
For example, if an organization consists of 50 employees, all located within New York state, and it supplies a consumable to other businesses, it’s likely that only the New York State SHIELD Act would apply to its electronic data. In addition, as it is a small business, a “smaller” risk assessment based on something like the Center for Internet Security (CIS) Top 20 would suffice.
Conversely, if an organization is large, such as a multiregional health system with several thousand employees, then its reasonable risk assessment would need to be much more robust. In that case, such an assessment would follow standards set by the National Institute of Standards and Technology (NIST) publications such as SP800-30r1 (Guide for Conducting Risk Assessments). That could be layered on top of standard control sets such as SP800-53r5 (Security and Privacy Controls for Information Systems and Organizations) and SP800-171r2 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations).
Regardless of the organization and the specific risk assessment conducted, using the applicable experts is mandatory and appropriate scope is critical (people, processes, technology, administrative, third-party, etc.). All risk-assessment efforts must be documented and reasonable, actionable remediation expectations communicated to management for implementation. This risk assessment should be repeated on a regular cadence.
Vulnerability Testing
Another step that organizations can take to build a secure data-protection infrastructure and guard against the MOVEit hack is to conduct a technical vulnerability scan and website vulnerability test. These will show where cyber-hygiene may be needed. This vulnerability scanning and patching of internal assets should be conducted at least quarterly.
Security Training
Additionally, organizations should have a documented and effective security-awareness training program in place that all users attend upon hire and at least once annually thereafter.
Vendor Risk Management
Lastly, organizations should consider upgrading their vendor risk-management program by sending emails with direct questions to each vendor such as “Do you, or any of your third-parties, use MOVEit?” These should be sent out without delay.
An effective vendor risk-management program is needed as well, for any vendor who reasonably interacts with an organization’s data. Organizations should explore having at least annual internal and external penetration testing conducted to ensure that their protection programs are operating as expected.
It is clear from the rampant MOVEit breaches that a lack of controls and assured data protection, as well as misunderstood risk profiles, can allow weaknesses to creep into the overall data-protection infrastructure. These weaknesses are then exploited by those with nefarious intentions. Organizations must act now, understand their risks, and take the appropriate actions to protect their data.
About the Author
Carl is an executive vice president in the FoxPointe Solutions/Information Risk Management Division of The Bonadio Group. Carl has expertise in the areas of Data Privacy and Cybersecurity Controls; Physical, Administrative, and Technical Security; Enterprise Risk Management; Vendor Management; and Disaster Recovery Planning, having worked with companies across almost all vertical markets ranging in size from small businesses to multiregional and multinational organizations with thousands of employees. Carl can be reached online at [email protected] and at our company website https://www.foxpointesolutions.com/.