SQL injection. According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal
            Bureau of Investigation (FBI), the MOVEit breaches are being conducted by Clop, a Russian-speaking
            cybercriminal group. As of August, more than 600 organizations worldwide have fallen victim to MOVEit
            breaches—affecting more than 40 million individuals.



            Guarding against MOVEit Breaches


            As organizations seek to protect themselves against the MOVEit hack, it is critical for them to understand
            that they will inevitably become the target of a data attack—it is truly just a matter of how and when.
            Attackers and attacks can stem from a variety of sources including external threat actors, such as Clop,
            internal  disgruntled  staff,  or  even  within the  supply  chain.  As  a  result,  every  organization  should  be
            focused on building a secure data-protection infrastructure. All known or suspected attack vectors, as
            well as the status of the controls required to reasonably protect the organization, need to be a part of
            every organization’s risk-management consideration today.



            Conducting a Risk Assessment


            One of the best places to start is to have a thorough, accurate, and unbiased cyber-risk assessment
            performed, even if there is no law or regulation requiring the organization to complete one. Management
            cannot act or make cyber- and data-protection decisions effectively without reasonable information drawn
            from these types of documented assessments.

            Before conducting a risk assessment, an organization must first identify its data sets and determine what
            requires protection. It’s important to note that even if an organization doesn’t have protected client data
            (health information, credit cards, SSN, etc.), it still likely possesses protected employee information (SSN,
            401(k)/403(b), banking, etc.).

            Next, organizations must assess which laws and standards apply to their data sets. Both client data and
            employee data require protection based on federal, state, and sometimes local cybersecurity and privacy
            laws. This will define what type of risk assessment needs to be performed.

            For  example,  if  an  organization  consists  of  50  employees,  all  located  within  New  York  state,  and  it
            supplies a consumable to other businesses, it’s likely that only the New York State SHIELD Act would
            apply to its electronic data. In addition, as it is a small business, a “smaller” risk assessment based on
            something like the Center for Internet Security (CIS) Top 20 would suffice.

            Conversely, if an organization is large, such as a multiregional health system with several thousand
            employees, then its reasonable risk assessment would need to be much more robust. In that case, such
            an assessment would follow standards set by the National Institute of Standards and Technology (NIST)
            publications such as SP800-30r1 (Guide for Conducting Risk Assessments). That could be layered on
            top of standard control sets such as SP800-53r5 (Security and Privacy Controls for Information Systems








            Cyber Defense eMagazine – December 2023 Edition                                                                                                                                                                                                          45
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.