Strange But True: Horror Stories of Cybersecurity- Episode 4: They're Baaaaack
They’re Back
Just when you thought we had heard the last of the MoveIt SQL Injection vulnerability, on July 7th, Progress Software revealed one new Critical and two High severity vulnerabilities.
This is now the third time since the initial discovery on May 27th of this year that subsequent vulnerabilities have been discovered.?This latest vulnerability is listed as CVE-2023-36934 and has a CVSS score of 9.8.?It allows remote Threat Actors (TAs) to bypass authentication on affected systems and execute arbitrary code.
“Progress Software first reported the MOVEit [sic] vulnerability and released an initial patch for the zero-day flaw on May 31. Two weeks later, the company discovered an SQL injection flaw in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.
The latest vulnerability shares commonalities with the first flaw, CVE-2023-34362, which has been actively exploited over the past month by the Cl0p ransomware group to exfiltrate data from hundreds of victim organizations for extortion.
Progress Software also revealed details of a high-severity, denial-of-service bug tracked as CVE-2023-36933 in its MOVEit Transfer application. The vulnerability allows attackers to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly and enter a DoS condition.”
The Plot Thickens
Progress Software is being sued by breach victims for not only failing to perform adequate security testing, but also for failing to monitor and implement proper data security practices.?The lawsuits allege that had industry standards and best practices been followed, the vulnerability could have identified and patched much sooner.
As if things could not get any worse for Progress Software, customers are starting to both file and receive lawsuits.?As of July 11, 2023, Johns Hopkins University is facing two separate federal class action lawsuits as a result of exploitation of MoveIt which lead to the exposure of patient and student personally identifiable information (PII) and Electronic Personal Healthcare Information (ePHI).?Even though the flaws in code are the responsibility of the vendor, the lawsuits allege, "The data breach occurred as a direct result of defendants' failure to implement and follow basic security procedures in order to protect its customers' PII”, and that they failed to perform their statutory duty to protect patient data under HIPAA.
Only a Vorhees can kill a Vorhees
So unlike the inability to legitimately kill Michael Meyers or Jason Vorhees, there are multiple things that can be done from a cybersecurity perspective to protect you and your organization.?By learning three critical lessons from this incident, your organization can bolster your security posture and hopefully not face the same horrors that Progress Software is facing.
领英推荐
Security is non-negotiable
The days of cybersecurity being an afterthought are long gone (or at least they should be).?If you or anyone in your organization still feels this way, then I recommend showing them this and any one of the thousands of other articles that illustrate just how bad things can get when an incident occurs as a result of underinvesting in security.?
If you suffer an incident and subsequent find yourself embroiled in litigation, you will be called on to produce something called a defensive position of reasonableness.?It basically means that you have taken all reasonable (intentionally ambiguous) measures to secure your computing assets or applications.?No opposing expert, judge or jury is going to think, “Let’s just roll the dice and see what happens”, or “Cybersecurity is a waste of time and money – we’ll just pay the fines” is reasonable.?
I am not a lawyer, and cannot give legal advice, so consult your counsel on this.?I AM however an expert witness and have argued for opposing counsel in cases involved cyber negligence.?A position like this would make my job super easy.
Testing Testing 123
Test, test, and test some more.?Penetration testing, application security testing and threat simulations – oh my!?Secure code review tools like Crucible or Veracode are helpful but should not be relied on in isolation.?The adversary is a resourceful human being, so testing should likewise include humans.?At some point, AI will make this process a bit easier, but should never fully replace human creativity and ingenuity.
ALSO, know that while there may be requirements for testing frequency, there is no reason you cannot test more than the recommendations.?Any GRC regime or legislation that lists security testing as an annual or bi-annual requirement will not penalize you for testing monthly or quarterly.?The TAs will not restrict their activities to once or twice a year, so why should you?
Be Prepared for the worst
It’s a foregone conclusion in today’s operating environment, that your organization will be the victim of some sort of cybersecurity event.?It’s simply not feasible to think that you are going to fly under the radar of TAs forever, so it’s in your best interest to be prepared for the worst.?This means getting a Digital Forensics and Incident Response (DFIR) team on retainer, conducting attack simulation exercises and engaging in tabletop exercises at multiple levels to include the C-Suite.?In the Army we had a saying, “You fight like you train so train like you fight”.?This concept is absolutely applicable to the cybersecurity world.?If you want to respond well to an incident, you have to train to respond well to incidents.?There is no switch to flip that will suddenly make your response capabilities magically awesome.?If you are not actively preparing, you will think, and look unprepared and it will be blatantly obvious to everyone around you.?
The Finale
Unlike the repeated failure in vanquishing a maniacal serial killer, your cybersecurity posture can be improved, and you can be ready to handle an incident with clarity, confidence and resolve.?I can tell you from experience that the teams I have worked with that have taken their security posture and response capabilities seriously have quickly (and I mean quickly – within just a few days) triaged the situation, deployed the proper assets, contained the incident, and restored services, resulting in a marginal impact to the business.?Those that were not ready…well…you can continue to read article after article, day after day that will show you the kind of failure you’re setting yourself up for.?Please don’t do that.?Call CyberCX.?We can help.