MOVEit Vulnerability: How to Mitigate Risk from Impacted Vendors

On May 31, 2023, Progress Software disclosed
a vulnerability that enables unauthenticated actors to access its MOVEit^® Transfer database and execute SQL statements to alter or delete information. MOVEit Transfer is a managed file transfer software that is part of the Progress MOVEit cloud platform used to consolidate all file transfer activities into one system.

Since the disclosure, cybercriminal gang Clop have exploited the vulnerability and used it to target a wide-ranging number of organizations across multiple industries and geographies, including HR software provider Zellis, the BBC, the government of Nova Scotia, and many others. Although Progress Software has patched the vulnerability, Clop continues to reveal new victims.

As with the SolarWinds, Kaseya, LastPass, and the similar Accellion
attacks, it’s critical that third-party risk management professionals understand which of their vendors could be exposed to the MOVEit vulnerability to reduce the likelihood and severity of an attack on their own IT infrastructures or exposure of their data.

In this post, we recommend eight questions to ask your third-party vendors to determine their usage of MOVEit and understand their response to any related security incidents. We also share three best practices to better automate your organization’s third-party incident response.

3 Best Practices for Mitigating Risks from MOVEit and Other Third-Party Breaches

Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can deliver the visibility and automation necessary to proactively find and mitigate the risks that can disrupt your business. Start with these three steps:

1. Identify vendors that could be using the impacted technology

Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place – and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system accessible by everyone involved in your vendor management initiatives. Your central system of record should allow imports of vendor profile data from any existing spreadsheets or via an API connection to your current procurement solution.

Once you have centralized all your vendors, use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular case, this exercise would reveal which vendors use MOVEit. Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to identify organizations using the impacted technology, so you can prioritize which of your vendors require further assessments.

2. Issue event-specific risk assessments

Once you have identified vendors with the impacted technology deployed in their environments, engage them with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161
and ISO 27036. Results from these assessments will help you target remediations necessary to close potential security gaps. Good assessment solutions will provide built-in recommendations to speed remediation and quickly close those gaps.

Start your event-specific assessment based on the eight questions in the section above, weighting answers according to your organization’s risk tolerance. Please note: These are basic questions meant to expose some initial information. Your organization may choose to ask different or additional questions.

3. Continuously monitor impacted vendors

It’s important to be continuously vigilant; not only for risks stemming from the MOVEit attack, but also for those coming from the next attack. Start by monitoring the Internet and dark web using continuous cyber monitoring to reveal listings of stolen credentials for sale and other signals of an impending security incident.

Your monitoring efforts should cover criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases, and negative news.

You can monitor multiple individual sources – or you can use a solution that unifies insights from multiple sources, centralizes all risk data, and makes it visible to key stakeholders. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place or not.

Next Steps: Activate Your Third-Party Incident Response Program

If a cybersecurity incident occurred in your vendor ecosystem, would you be able to quickly understand its implications and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A programmatic third-party incident response plan should include:

• A centrally managed database of vendors and the technologies they rely on
• Pre-built business resilience, continuity and security assessments to gauge the likelihood and impact of an incident
• Scoring and weighting to help focus on the most important risks
• Built-in recommendations to remediate potential vulnerabilities
• Stakeholder-specific reporting to answer the inevitable board request

For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, request a demo today.