Navigating the Treacherous Waters of IT Risk: The MOVEit Transfer Exploit as a Case Study

Mike Boutwell
Author: Mike Boutwell, CISA, CGEIT, CISSP, ISO 27001 SLI/SLA, ISO 27031 SLCM, ISO 38500 SLITCGM
Date Published: 30 January 2024
Read Time: 9 minutes

Emerging technologies in the IT landscape have made risk management an indispensable aspect of modern organizations. As the digital revolution continues unabated, the specter of cyberrisk looms larger than ever. A prime example that epitomizes the threats faced in an increasingly interconnected world is the recent global hacking campaign1 targeting MOVEit Transfer, a widely used file-transfer software.

MOVEit Transfer is a popular tool among organizations to whom the secure transfer of sensitive information is paramount. The software is commonly used for sharing sensitive data, including financial records for bank loan applications. However, MOVEit Transfer recently became the focal point of an extensive global hacking campaign. The US Department of Energy (DOE) and several other US federal agencies were among the victims. Data were compromised at 2 DOE entities: Oak Ridge Associated Universities (Tennessee, USA) and the Waste Isolation Pilot Plant (WIPP) (Carlsbad, New Mexico, USA), a facility for the disposal of defense-related nuclear waste. British energy giant Shell, the University System of Georgia (Atlanta, Georgia, USA) and Johns Hopkins University (Baltimore, Maryland, USA) were also among the entities whose systems were infiltrated through the MOVEit Transfer software. Cl0p, a Russia-linked extortion group, claimed credit for the hack.2 It exploited a security flaw in the MOVEit Transfer software that was discovered only a month earlier by Progress Software, the maker of MOVEit Transfer.

The MOVEit Transfer incident is a stark reminder of the multifaceted nature of IT risk. It underscores the importance of managing various sources of IT risk, including security vulnerabilities and data breaches, and understanding regulatory compliance.

Security Vulnerabilities

The hacking campaign exploited a known vulnerability in the MOVEit Transfer software. This illustrates the importance of identifying and patching software vulnerabilities as a key aspect of IT risk management. Unpatched software is essentially an open door that cybercriminals can use to enter an organization's network. Continuous monitoring and timely patching should be the priority to close any security gaps.

Unpatched software is essentially an open door that cybercriminals can use to enter an organization's network.

Data Breaches

The breach had far-reaching implications. For entities such as DOE, which manages US nuclear infrastructure and energy policy, and Shell, which has global energy interests, the risk associated with data breaches is monumental. Data breaches can lead to the loss of sensitive information, which may affect an enterprise's competitive position or even national security. The importance of protecting sensitive information cannot be understated. Employing encryption, network segmentation and monitoring access to sensitive information are key strategies for mitigating this risk.

Regulatory Compliance

Entities involved in the MOVEit Transfer breach also face regulatory compliance risk. Noncompliance with data protection laws can result in severe penalties and reputational damage. Therefore, organizations should ensure that they have a thorough understanding of the legal and regulatory requirements applicable to their industries and that they are in compliance with such standards.

Strategies for Mitigating IT Risk

To address the complexity and severity of IT risk, organizations must adopt a multipronged approach to IT risk management. This should include conducting IT risk assessments regularly to identify and evaluate risk. Standards such as the International Organization for Standardization (ISO) standard ISO 27001 may also be used to standardize and guide organizational cybersecurity efforts.

To address the complexity and severity of IT risk, organizations must adopt a multipronged approach to IT risk management.

The following areas of IT risk are by no means an exhaustive list of controls, but rather, are common gaps that require particular attention.

Third-Party Risk Management

It is critical to assess the security postures of third-party vendors regularly. In the MOVEit case, the third-party software became a gateway for the breach. Performing rigorous vendor assessments and monitoring vendors are essential.

Vendor Security Assessments
Conduct comprehensive security assessments of vendors to evaluate their security practices and ensure that they align with organizational standards.

Contractual Agreements
Include security clauses in contracts with vendors, ensuring that they are obliged to adhere to security best practices.

Continuous Monitoring
Maintain ongoing monitoring of third-party vendors to observe any security incidents or changes in their security postures.

Cloud Security

If using cloud services, enterprises should ensure that the shared responsibility model is understood and utilized and that cloud configurations are secure. Regularly monitoring and auditing cloud environments is important.

Understanding the Shared Responsibility Model
The shared responsibility model delineates the security obligations of a cloud service provider and the user. The provider is responsible for the security of the cloud, whereas the user is responsible for security in the cloud. Users must secure their data, applications and credentials.

Cloud Configuration Management
Periodically review and manage cloud configurations to ensure that security settings align with best practices.

Access Controls
Implement strict access controls to cloud environments to minimize the risk of unauthorized access.

Continuous Vulnerability Management

Organizations are advised to employ continuous monitoring for vulnerabilities and apply patches and updates promptly. It is not only about identifying vulnerabilities, but also about timely mitigation, which helps reduce the window of opportunity for hackers.

Regular Scanning
Employ regular scanning of systems and applications for vulnerabilities.

Patch Management
Create a systematic approach for deploying patches and updates to systems and applications.

Risk Assessment
Assess the risk associated with identified vulnerabilities and prioritize patches based on risk levels.

Data Encryption and Secure Transfer

Sensitive data should be encrypted, both at rest and in transit. In addition, employing secure file transfer protocols ensures that in the event of data interception, the information remains secure.

Encryption Algorithms
Use strong encryption algorithms to protect sensitive data.

Key Management
Properly manage encryption keys to ensure that only authorized individuals can decrypt data.

Secure Transfer Protocols
Use secure transfer protocols such as Secure File Transfer Protocol (SFTP) or Hypertext Transfer Protocol Secure (HTTPS) for transmitting sensitive data.

Frequent Backups

Data should be backed up regularly and organizations must confirm that such backups are secure. This ensures that data can be restored from a secure source in the event of data loss through a cyberincident.

Backup Schedules
Establish regular backup schedules to ensure that data are consistently backed up.

Backup Encryption
Encrypt backups to add an additional layer of security.

Backup Testing
Test backups often to ensure that data can be effectively restored.

Employee Training and Awareness

Employees can often be the weakest link in security. Conducting training and awareness programs regularly can ensure that staff recognize the signs of a breach or phishing attempt and know how to respond.

Security Awareness Programs
Implement security awareness programs that educate employees on the latest cyberthreats and best practices.

Phishing Simulations
Conduct phishing simulations to test employees’ abilities to recognize phishing attempts.

Clear Reporting Procedures
Establish clear procedures for reporting suspected security incidents.

Incident Response Plan

A well-formulated incident response plan is nonnegotiable. This ensures that the organization can quickly and effectively respond to an incident and mitigate damage.

Incident Response Team
Establish a dedicated incident response team that is responsible for handling security incidents.

Response Procedures
Develop detailed response procedures for different types of incidents.

Regular Drills
Organizations should conduct regular incident response drills involving their IT department, cybersecurity team and other relevant units to ensure comprehensive preparedness for any security incidents.

Legal and Regulatory Compliance

Organizations must ensure that they are compliant with all applicable laws and regulations. This includes understanding and adhering to data protection regulations.

Understanding Regulations
Enterprises must be able to comprehend the legal and regulatory requirements relevant to their industries and locations.

Data Protection Policies
Develop and implement data protection policies that comply with regulations such as the EU General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA).

Regular Audits
Conduct audits periodically to ensure compliance with legal and regulatory requirements.

Conclusion

The MOVEit Transfer incident offers a valuable lesson in the importance and complexity of IT risk management. Through the lens of this event, it becomes clear that organizations must be vigilant and proactive. With a multifaceted approach that encompasses continuous monitoring, employee training, adherence to compliance, and collaboration, organizations can navigate the treacherous waters of IT risk. In an age where data are the new oil, ensuring their security is paramount. As stated by US professor and computer science researcher Gene Spafford, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.3

In reality, systems must be alive and kicking. The key is to ensure that they are as secure as possible. IT risk is not merely an IT issue—it is a business-critical priority. Today’s leaders must foster a culture of cybersecurity awareness and ensure that robust systems and protocols are in place. As we forge ahead in this digital era, let us do so with the wisdom and lessons gleaned from past incidents and the resolve to build a more secure future. 

Endnotes

1 Agencies, G.S.; “US Energy Department and Other Agencies Hit by Hackers in MoveIt Breach,” The Guardian, 16 June 2023
2 Cybersecurity and Infrastructure Security Agency (CISA), “CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability,” USA, 7 June 2023
3 Purdue.edu, “Quotable Spaf,” 4 August 2022

Mike Boutwell, CISA, CGEIT, CISSP, ISO 27001 SLI/SLA, ISO 27031 SLCM, ISO 38500 SLITCGM

Is a seasoned cybersecurity professional with more than 15 years of experience in the field. He has held significant roles in leading organizations such as Cisco, AT&T, IBM, Kyndryl, First Data and Euroclear. Boutwell’s expertise spans from IT risk management to executive leadership and he has been instrumental in securing assets worth over US$1 quadrillion and delivering projects valued over US$100 million. As the founder of his own cybersecurity consultancy, he is on a mission to guide 200,000 individuals into their first infosec jobs. He has developed a career accelerator program to assist aspiring professionals in landing their first cybersecurity roles. Additionally, Boutwell serves as an advisor to early-stage Software-as-a-Service (SaaS) startups, helping them refine their security strategies. He has authored publications including "The Ransomware Handbook" and "Profit-Driven Cybersecurity." His dedication to the field has been recognized by awards such as the AT&T Connection Award. For further insights and to connect with Boutwell, visit his personal website at http://www.mikeboutwell.com or his LinkedIn profile at http://www.linkedin.com/in/mikeboutwell.

Additional resources