Page 45 - Cyber Defense eMagazine December 2023
P. 45
SQL injection. According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal
Bureau of Investigation (FBI), the MOVEit breaches are being conducted by Clop, a Russian-speaking
cybercriminal group. As of August, more than 600 organizations worldwide have fallen victim to MOVEit
breaches—affecting more than 40 million individuals.
Guarding against MOVEit Breaches
As organizations seek to protect themselves against the MOVEit hack, it is critical for them to understand
that they will inevitably become the target of a data attack—it is truly just a matter of how and when.
Attackers and attacks can stem from a variety of sources including external threat actors, such as Clop,
internal disgruntled staff, or even within the supply chain. As a result, every organization should be
focused on building a secure data-protection infrastructure. All known or suspected attack vectors, as
well as the status of the controls required to reasonably protect the organization, need to be a part of
every organization’s risk-management consideration today.
Conducting a Risk Assessment
One of the best places to start is to have a thorough, accurate, and unbiased cyber-risk assessment
performed, even if there is no law or regulation requiring the organization to complete one. Management
cannot act or make cyber- and data-protection decisions effectively without reasonable information drawn
from these types of documented assessments.
Before conducting a risk assessment, an organization must first identify its data sets and determine what
requires protection. It’s important to note that even if an organization doesn’t have protected client data
(health information, credit cards, SSN, etc.), it still likely possesses protected employee information (SSN,
401(k)/403(b), banking, etc.).
Next, organizations must assess which laws and standards apply to their data sets. Both client data and
employee data require protection based on federal, state, and sometimes local cybersecurity and privacy
laws. This will define what type of risk assessment needs to be performed.
For example, if an organization consists of 50 employees, all located within New York state, and it
supplies a consumable to other businesses, it’s likely that only the New York State SHIELD Act would
apply to its electronic data. In addition, as it is a small business, a “smaller” risk assessment based on
something like the Center for Internet Security (CIS) Top 20 would suffice.
Conversely, if an organization is large, such as a multiregional health system with several thousand
employees, then its reasonable risk assessment would need to be much more robust. In that case, such
an assessment would follow standards set by the National Institute of Standards and Technology (NIST)
publications such as SP800-30r1 (Guide for Conducting Risk Assessments). That could be layered on
top of standard control sets such as SP800-53r5 (Security and Privacy Controls for Information Systems
Cyber Defense eMagazine – December 2023 Edition 45
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.