The Epic Fail Behind MOVEit
The attack on MOVEit is a replay of similar breaches which expose poor data management practices.
For some time now, threat actors have been attacking file transfer systems. Accellion's twenty year old FTA (File Transfer Application) was breached by CLOP in the lead up to Christmas and whilst the patch was issued rapidly, data belonging to tens of customers including including Shell, The Reserve Bank of New Zealand, The University of California, Stanford University School of Medicine, Bombardier, University of Miami Health, Trillium, Community Health Plan and Kroger was stolen and victims extorted.
Over 550 organisations; many household names, and between 33 and 38 million individuals have been exposed by the mass exploit, again by the CLOP ransomware gang, of the vulnerability in Progress Software's MOVEit file transfer solution. Excellent info on this incident can be found here.
Since the early days of hacking, file transfer technologies have been exploited to enable unauthorised access, cause outage and more recently to steal data and extort the organisations who operate them; often manipulating the data subjects themselves as a reputational risk lever.
File transfer technologies come in many implementations. Because they have been around for a long time there are technologies that are customer-hosted software & appliances as well as cloud-hosted services. There are also a range of service providers who offer file transfer as part of their offerings, such as Zellis, a payroll provider who used the MOVEit solution to exchange data with their clients.
However, when it comes to understanding the fundamental risks in relation to such incidents, I have not seen one article or opinion which correctly identifies the core issue.
There is no doubt that software quality, vendor management, security testing etc. are also important aspects but ultimately the real issue is one of shockingly poor data management. Of course, with any such service, there is a trade-off between security and utility but the fact that data from so many organisations have been breached is evidence that far too much trust is placed in file transfer services and that the risks have not been adequately managed.
Offering data crown jewels to cybercriminals on a silver platter.
Consider the process.
I need to transfer this sensitive data and/or large file to a third-party.
I cannot use email because of attachment size or because of security concerns [the irony!].
I can use our file transfer service.
I upload the file.
The third party downloads the file and confirms receipt.
Next time I need to do this - Goto 1.
But it's not job done is it? The sensitive data/large file remains on the platform. Multiply this by all users following this flawed process regularly for years and 'hey presto!' petabytes of lovely sensitive data just waiting to be breached.
This practice exposes a significant risk and one that the tens of thousands of organisations (and individuals) using file transfer can reduce to literally nothing, immediately, simply by following good data management practices. All that is needed is to add a step after point 5. above that reads; 'Delete file(s) from file transfer platform.'
Of course, there are many more reasons to adopt and operate an effective data/records management policy and procedures, notwithstanding compliance with data protection e.g. GDPR, and other relevant laws. Perhaps regulators reviewing the MOVEit incidents will finally seek to properly enforce the law, protect the public adequately and question the data management practices adopted by organisations that feature in this latest set of breaches? Perhaps they won't.
Cyber insurance underwriters may also be rightly concerned as to the levels of control over sensitive business and personal data operated by their insured clients using file sharing platforms. Information governance frameworks and records management standards such as ISO15489-1:2016 are good reference points.
As for the file sharing platform providers and those in procurement who should be performing suitable due diligence, there must be significantly improved software development & support and better security controls with a zero-knowledge encryption scheme as a backstop. I would welcome a feature (enabled by default) that automatically deletes uploaded files after a defined time period.
So, I hope that these incidents, and this article, has the desired effect and spurs boardrooms around the world to begin to question why the most valuable data in their business, such as payroll data, sales and marketing intelligence, personal health and financial information, and much much more, is just waiting to be harvested by cybercriminals for extortion for absolutely no good reason.
If you would like to discuss any of the issues addressed in this article or would like to find out more about STORM, you can reach us at: email@example.com.