In today's world, organizations are facing more and more complex threats that put their sensitive data and relationships with stakeholders at risk. The recent discovery of the MOVEit exploit has caused concern in the cybersecurity industry, revealing vulnerabilities that could significantly affect cybersecurity management; however, this is not an isolated occurrence, as in the act of a compromise/breach and the subsequent governance fallout associated with it. The MOVEit exploit is another to be added to an ever-growing list, preceded by other high-profile breaches and compromises such as Microsoft, Solarwinds, Uber, and News Corp, to name a few!
Many organizations rely on MOVEit as their Managed File Transfer (MFT) solution to safely send sensitive data internally and externally. Using the search engine Shodan (You’ll need to have a Shodan account to access the query we’ve hyperlinked to view the list of companies using MOVEit), it reveals that over 2500 companies utilize MOVEit and have instances of this software accessible over the internet. This gives any threat actor a large attack surface and, for security professionals and governance folks alike, a large headache!
Unfortunately, a critical vulnerability has been identified in MOVEit, which, if successfully exploited, would allow a threat actor remote unauthenticated access to any file of a folder within the MOVEit system. This access, in turn, could allow unauthorized access to confidential and sensitive information, for example, personally identifiable information (PII) or protected healthcare information (PHI). The exploit took advantage of a flaw in the authentication mechanism in the form of SQL injection, enabling attackers to circumvent security controls and gain access to the data stored in the MOVEit system. This vulnerability not only poses a risk of sensitive information being lost but also undermines the trust that organizations have in the security of their MFT solution. The resulting impact for the affected organization ultimately is loss of revenue, loss of customers, along with brand and reputational damage.
On June 5th, 2023, MOVEit released the following notification, which sites a SQL injection (SQLi) vulnerability within the application, which could allow, if successful, escalated privileges and unauthorized access to the environment.
Implications of MOVEit for Cybersecurity Governance
Heightened Risk Awareness: The exploit is a powerful reminder for organizations to reassess their cybersecurity governance strategies. It highlights the criticality of proactively identifying and promptly addressing vulnerabilities to mitigate potential risks. Key points to help in this area:
- Understanding and knowledge of various threats and system vulnerabilities
- Apply essential risk management & risk assessment principles relating to your organization-specific cybersecurity threats
- Evaluate organizational structure, roles, and responsibilities.
- Evaluate the concept of incident response.
- Assist in developing their organization’s cybersecurity program
Compliance Challenges: Various industries, such as finance, healthcare, and government, operate under stringent regulatory frameworks governing data protection and privacy. Prominent examples of these regulatory frameworks are:
- PCI DSS (Global): A MOVEit exploit could result in unauthorized access to cardholder data, including cardholder names, primary account numbers (PANs), expiration dates, and card verification codes. This would violate PCI DSS requirements, which mandate strict controls to protect cardholder data from unauthorized access or disclosure.
- HIPAA (US): An exploit could allow unauthorized individuals to access sensitive patient data stored or transmitted through MOVEit. This would violate the HIPAA Security Rule, which requires safeguards against unauthorized access to protected health information (PHI).
- GDPR (EU & UK): GDPR grants individuals certain rights, such as the right to access their personal data, the right to rectify inaccuracies, and the right to erasure (also known as the right to be forgotten). A MOVEit exploit could potentially hinder the ability of organizations to fulfill these rights, particularly if personal data is lost, altered, or inaccessible.
- The Data Protection Act (UK): The DPA incorporates the EU General Data Protection Regulation (GDPR) principles, including restrictions on transferring personal data outside the UK and the European Economic Area (EEA). If a MOVEit exploit compromises the security or confidentiality of personal data during transfers, it may impact compliance with the DPA's requirements for international data transfers.
The MOVEit exploit raises concerns about an organization's ability to comply with these regulations and emphasizes the need for more robust security measures.
Reputational Damage and Trust Erosion: Cybersecurity breaches can damage an organization's reputation and erode customer trust, take the SolarWinds compromise as an example; the company share price dropped by over $7 per share to $13 (down from $20) upon the breach disclosure. The MOVEit exploit underscores the importance of maintaining robust cybersecurity governance practices to safeguard sensitive information and preserve stakeholder confidence.
Board-level Involvement: As cybersecurity risks become increasingly sophisticated, boards of directors must prioritize cybersecurity governance as a strategic concern. The exploit reiterates the need for board-level awareness and engagement in setting relevant and ‘fit-for-purpose’ cybersecurity policies, allocating resources, and reviewing risk management strategies regularly.
Supply Chains: Supply chains often involve the sharing of sensitive information, such as product designs, intellectual property, financial data, and customer details. A MOVEit exploit that enables unauthorized access could result in the exposure of such confidential information. This can have severe consequences, including the loss of competitive advantage, breach of contractual obligations, or compromise of customer trust.
How to Adapt to the Changing Landscape
Enhanced Vulnerability Management: Ideally, organizations should invest in-house in comprehensive programs to promptly identify and remediate potential security flaws; however, this may not always be possible due to financial constraints. An alternative is to seek out a reputation 3rdparty service that can be vetted, risk assessed, and provide the services you require. Irrespective of which route is taken, regular vulnerability assessments, penetration testing, and continuous monitoring can and will help prevent vulnerabilities within your environment, along with exploits similar to the ones that impacted MOVEit.
Robust Authentication and Authorization: Strengthening authentication mechanisms prevents unauthorized access. Organizations should adopt multi-factor authentication, enforce strong password policies, and implement secure access controls to reduce the likelihood of successful attacks. A great starting point to identify any potential issues would be to review the likes of:
- Active Directory users and groups – adopt the principle of least privilege, identify user privilege creep
- Identity Access Management – review all users, groups, and services, again, adopt the principle of least privilege
Cybersecurity Training and Awareness: Human error remains a significant factor in cybersecurity incidents. Organizations should prioritize cybersecurity training and awareness programs to educate employees about best practices, such as identifying phishing attempts and handling sensitive data securely. Various options are available in this space, which comes as ‘off-the-shelf' training by third-party vendors; however, it is important to note that this can be generic and not tuned to your organizational needs.
Collaborative Approach: The exploit highlights the interconnected nature of cybersecurity. Organizations should actively collaborate with industry peers, share threat intelligence, and participate in cybersecurity forums and initiatives to stay updated on emerging threats and countermeasures.
The MOVEit exploit has highlighted the importance for organizations to assess and improve their cybersecurity governance practices regularly. To prevent similar incidents, proactive steps like implementing strong vulnerability management, secure authentication methods, and thorough employee training are crucial in reducing potential risks.
Organizations must continuously evolve their approach to cybersecurity governance to maintain the trust of stakeholders. Adopting a comprehensive and proactive cybersecurity governance strategy is vital for success. It's essential to stay abreast of emerging threats and promote a culture of cybersecurity awareness throughout the organization.
How can we help?
Here at Lares, we help empower organizations to maximize their security potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets and, ultimately, the data that resides within them through a unique blend of governance, assessment, testing, and coaching.