Page 46 - Cyber Defense eMagazine December 2023
P. 46

and  Organizations)  and  SP800-171r2  (Protecting  Controlled  Unclassified  Information  in  Nonfederal
            Information Systems and Organizations).

            Regardless of the organization and the specific risk assessment conducted, using the applicable experts
            is mandatory and appropriate scope is critical (people, processes, technology, administrative, third-party,
            etc.).  All  risk-assessment  efforts  must  be  documented  and  reasonable,  actionable  remediation
            expectations  communicated  to  management  for  implementation.  This  risk  assessment  should  be
            repeated on a regular cadence.



            Vulnerability Testing

            Another  step  that  organizations  can  take  to  build  a  secure  data-protection  infrastructure  and  guard
            against the MOVEit hack is to conduct a technical vulnerability scan and website vulnerability test. These
            will  show  where  cyber-hygiene  may  be needed.  This  vulnerability  scanning  and  patching  of  internal
            assets should be conducted at least quarterly.



            Security Training

            Additionally, organizations should have a documented and effective security-awareness training program
            in place that all users attend upon hire and at least once annually thereafter.



            Vendor Risk Management

            Lastly,  organizations  should  consider  upgrading  their  vendor  risk-management  program  by  sending
            emails with direct questions to each vendor such as “Do you, or any of your third-parties, use MOVEit?”
            These should be sent out without delay.

            An  effective  vendor  risk-management  program  is  needed  as  well,  for  any  vendor  who  reasonably
            interacts with an organization’s data. Organizations should explore having at least annual internal and
            external  penetration  testing  conducted  to  ensure  that  their  protection  programs  are  operating  as
            expected.

            It is clear from the rampant MOVEit breaches that a lack of controls and assured data protection, as well
            as  misunderstood  risk  profiles,  can  allow  weaknesses  to  creep  into  the  overall  data-protection
            infrastructure. These weaknesses are then exploited by those with nefarious intentions. Organizations
            must act now, understand their risks, and take the appropriate actions to protect their data.











            Cyber Defense eMagazine – December 2023 Edition                                                                                                                                                                                                          46
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   41   42   43   44   45   46   47   48   49   50   51