If you’ve been following the MOVEit data breach as we have, the thing that stands out is the steady drip drip drip of information coming out that serves as a continuing reminder of the consequences of a failure to tackle data security hygiene. To be clear, we do not exult in the misfortune that befalls any organization, including one that competes in our industry. Nor do we think that MOVEit is 100% culpable in this incident. It’s often said that managed file transfer is a “set it and forget it” technology, but there’s no excuse when you select it and neglect it after installation. And as we’ve discussed, security should never be sacrificed on the altar of convenience where managed file transfer software–or any technology product–is concerned.
As the numbers accrue and as more organizations notify the public and various authorities I wonder how many were compromised in the initial wave of attacks when the cl0p ransomware gang first launched their campaign, and how many were slow to patch their software after those were (quickly) made available when the vulnerabilities were diagnosed. How many failed to check to see if the software was installed behind a firewall? How many did nothing because they did “set it and forget it” and had no idea that they were using a product that was targeted by a threat actor running an attack that was months in planning?
Whatever the causes, in aggregate the MOVEit breach may end up one of the biggest. The trade journal TechCrunch recently published a feature that breaks down the breakdown by some staggering numbers. I urge you to read the entire thing (“MOVEit, the biggest hack of the year, by the numbers”), but here are the highlights:
- 60,144,069 individuals impacted
- 83.9% of affected organizations were U.S. based
- 11 million individuals compromised via a single organization
- 30.86% of all breached organizations were in financial services
- $9,923,771,385 in aggregate costs to date
- 2021 is when cl0p first discovered the vulnerability
- $10,000,000 bounty offered by the U.S. Department of State for information on cl0p
- $100,000,000 potential revenue that cl0p could earn as a result of the campaign
- 0 is how much information cl0p claims to have stolen from U.S. government agencies, despite the fact that the State Department, Department of Energy, and other agencies were compromised.
The question for all organizations in light of this information is, “What can I do?” We shared seven best practices for keeping the managed file transfer process secure, and more insights about examining and securing the digital supply chain as well. But it’s worth noting that, earlier this month, the National Institute for Standards and Technology (NIST) announced an update to its popular cybersecurity framework. Although the NIST framework is constantly evolving, Cybersecurity Framework 2.0 (CSF 2.0) is the first major update in over a decade.
Be Careful Out There
Originally intended to be adopted by critical infrastructure organizations, CSF 2.0 was revised to be applicable to any organization operating in any industry and with the addition of “govern,” CSF 2.0 is now built on six foundational pillars instead of just five, including:
It shouldn’t take a major security event to cause us to evaluate our individual practices and readiness, but it would be a mistake to fail to do so now. Take the time to ask the hard questions and do what is necessary to improve. Then make it a habit. And as a crusty old television cop used to say… “Be careful out there.”