Page 46 - Cyber Defense eMagazine December 2023
P. 46
and Organizations) and SP800-171r2 (Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations).
Regardless of the organization and the specific risk assessment conducted, using the applicable experts
is mandatory and appropriate scope is critical (people, processes, technology, administrative, third-party,
etc.). All risk-assessment efforts must be documented and reasonable, actionable remediation
expectations communicated to management for implementation. This risk assessment should be
repeated on a regular cadence.
Vulnerability Testing
Another step that organizations can take to build a secure data-protection infrastructure and guard
against the MOVEit hack is to conduct a technical vulnerability scan and website vulnerability test. These
will show where cyber-hygiene may be needed. This vulnerability scanning and patching of internal
assets should be conducted at least quarterly.
Security Training
Additionally, organizations should have a documented and effective security-awareness training program
in place that all users attend upon hire and at least once annually thereafter.
Vendor Risk Management
Lastly, organizations should consider upgrading their vendor risk-management program by sending
emails with direct questions to each vendor such as “Do you, or any of your third-parties, use MOVEit?”
These should be sent out without delay.
An effective vendor risk-management program is needed as well, for any vendor who reasonably
interacts with an organization’s data. Organizations should explore having at least annual internal and
external penetration testing conducted to ensure that their protection programs are operating as
expected.
It is clear from the rampant MOVEit breaches that a lack of controls and assured data protection, as well
as misunderstood risk profiles, can allow weaknesses to creep into the overall data-protection
infrastructure. These weaknesses are then exploited by those with nefarious intentions. Organizations
must act now, understand their risks, and take the appropriate actions to protect their data.
Cyber Defense eMagazine – December 2023 Edition 46
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.