9-2 Final Project Submission
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
659
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
15
Uploaded by CountWildcatMaster7
9-2 FINAL PROJECT
SUBMISSION
Information Technology Incident Report and Summary
IT 659
Cyberlaw and Ethics
1
Final Project Submission
Introduction
Application of Cyber Principles
What makes you feel unsafe? This is a question that would have been answered
drastically different by our grandparents when asking them. They might respond simply with
leaving the front door unlocked at night or the back gate being left open. On the other hand, our
response might be drastically different due to the rise and advancement in technological
capabilities, data theft, hacking, and malware have become more prominent. Most people in the
world have access to and use the Internet in some way shape or form. Back in 2020, “only 60%
of the world’s population was online. Fast forward only one year, 93% of adults use the internet.”
(Pew, 2021) Because of the increase in cybercrimes (like the ones identified above), the way
business, e-commerce, and e-communication industries have been affected.
There are certain cyberlaw and security principles that should be applied in all
organizations that conduct business via the Internet. Cyberlaw plays a vital role in protecting
information, whether it be sensitive company information or personal identifying information
(PII). Not only do we need ensure secure infrastructure in every industry that conducts business
via a digital landscape, but the following principles also need to be applied to provide guidance
on how an organization can take the necessary steps to protect their internal systems and the data
that flows through them from any threats. The cyber principles that apply to all industries
conducting business via the digital landscape are govern, protect, detect, and respond. To break
these principles down further, when referencing govern as a principle, we introduce the ability to
correctly identify and manage the risks that are present via an internal network infrastructure or
the Internet. The protect principal entails introducing the proper security controls that reduce the
possibility of security risks. Defining detect as a principle means that the proper detection
mechanisms are in place to identify a cybersecurity incident. Lastly, identifying respond as a
2
Final Project Submission
principle means that when a security breach does happen, the proper steps are taken to respond to
and recover from the incident. Cyberlaw establishes rules and guidelines that need to be followed
to combat the cyber threats that are present in today’s world, and to promote the trust and
confidence in all online activities. The scope of cyberlaw covers cybercrime, data
protection/privacy, intellectual property rights, and cyber governance and jurisdiction.
As we see advancements in technology, specifically the use of the internet, it is
drastically important to understand the laws that are in place this reduce or prevent damage from
any criminal activities online. This can entail the protection of privacy such as personal data,
unauthorized access to information, intellectual property (IP) rights, and freedom of speech.
According to the Cybersecurity and Infrastructure Security Agency (CISA), one in three homes
in the United States have a computer that is infected with malware and an astounding 47% of
American adults have had their personal information exposed by/to cyber criminals. (CISA,
2023) It is easy to protect an asset that you can physically see or touch. For example, every time
we get out of our cars to walk into the store, we lock them (and if you’re anything like me, you
click the lock button three times just to be on the safe side). But how do you protect against the
theft against digital information? We often are quick to only think about our personal information
when we are using it for something, but rarely think about where our personal information is
being stored, or the transmission between organizations that are using our personal information.
Cybercrimes pose a whole host of challenge for all industries because of the amount of digital
information within. One single data breach can have associated repercussions that can cause
service disruption, reputational loss, and financial penalties. Armed with cyberlaw and security
principles industries can ensure that their information along with their client’s information stays
safe.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
3
Final Project Submission
Summary of Case
One of the most impacting incidents to hit the digital landscape was the MOVEIt data
breach. “MOVEit
is a
managed file transfer
software product. MOVEit encrypts files and uses
file transfer protocols such as
FTP
(S
) or
SFTP
to transfer data, as well as
providing
automation
services, analytics and failover options.” (Page, 2023) This product was
used as a SaaS solution by many different companies around the world, as it provided a reliable,
secure, and complaint cloud-based service. However, on May 27th, 2023, this company went on
record for having one of the largest hacks of not only 2023, but one of the largest in recent
history. An international hacking gang known as
Clop
was able to exploit a zero-day
vulnerability (CVE-2023-35036) in MOVEit Transfer. This allowed
Clop
to “exploit an SQL
injection vulnerability that allowed threat actors to escalate privileges and gain unauthorized
access to customer environments.” (Page, 2023) So far, there has been over 60 million
individuals affected by this breach. Not only were 60 million individuals’ personal data leaked,
but other victims also included huge companies Shell Oil and Gas, the National Student
Clearinghouse; John Hopkins University, and Ernst & Young to name a few. This left many
social security numbers, bank account and routing numbers, and names/addresses at the mercy of
the hackers, who requested a ransom for companies to buy the stolen data back.
Case Analysis
Ethical Issues
Zero-Day vulnerabilities are exactly what their name suggests. These are
vulnerabilities that unfortunately aren’t exposed until a company is breached. However,
ensuring good cybersecurity posture within a company can drastically reduce the threat
landscape and help the likeliness of zero-day vulnerabilities being exploited within the
organization. MOVEIt is a managed file transfer (MTP) solution that allows other
4
Final Project Submission
organizations to transfer files between business partners and customers, using SFTP and
HTTP based uploads. In the case of the MOVEIt data breach of 2023, over 600 organizations
worldwide had their sensitive data downloaded and exploited by threat actors (known as
Clop).
As we refer to what happened in this case, it is important to understand that a zero-day
vulnerability is defined as an unknown, undisclosed vulnerability within a
system/application/operating system. This means that there is a gap in which there is no
defense or patch that has yet been released to combat against this vulnerability. However,
there are still ethical issues within MOVEIt that we can analyze that may have led to the
incident.
The vulnerability that left millions of people’s data at the hands of the hackers (Clop)
came to be known as three SQL injection vulnerabilities (CVE-2023-34362, CVE-2023-
35036, and CVE-2023-35708) that led to escalated privileges and unauthorized access. These
vulnerabilities had a severity rating of 9.8 out of 10. “The method used to compromise systems is
to drop a webshell in the wwwroot folder of the MOVEIt install directory, this allows the attacker to
obtain a list of all folders, files, and users within MOVEIt, download any file within MOVEIt, and
insert an administrative backdoor user into, giving attackers an active session to allow credential
bypass.” (Najarro, 2023) This allowed backdoor to be installed in MOVEIt where the hackers were
able to facilitate the data downloads.
This is where ethical issues can be seen within the organization that may have potentially led
to the incident. With analyzing how the hackers were able to exploit so much data from within, a
Zero-Trust architecture security model was not in place. This means that least-privilege access is by
default, and that no system, user, or services if automatically trusted within a secure perimeter.
5
Final Project Submission
Authentication is continuously requested and verified. “
Zero Trust architectures require continuous
verification of identities and permissions. Any unusual behavior, such as attempts by apps to
access resources not typically needed can trigger alarms and automatic protective responses.”
(Outpost, 2023)
Ethical issues within the organization also can be noted as a weakness in MOVEIt’s code
that was overlooked by the IT and Development teams. Penetration testing is a very valuable tool
that can uncover any potential paths for exploitation. The type of SQL injection that Clop was
able to detect and exploit, was the exact type of SQL injection that an ethical hacker would have
been to uncover through a thorough pen test.
These two identified ethical issues within MOVEIT’s business practices and
infrastructure left a giant security hole that Clop was able to take advantage of. These two issues
are credited for the incident because it seems as though a small mistake, and small changes could
have avoided the exploitation of sensitive information. If a Zero-Trust architecture was
implemented, the threat actors would not have had access to the information that they were able
to remove from the organization. And if a simple penetration test would have been run by an
ethical hacker, MOVEIt would have already been able to remedy where Clop was able to get in.
Legal Compliance
Due to the nature of the service that MOVEIt provides to business, it is increasingly
important to be compliant with certain laws and regulations. Legal compliance issues within
the organization could have been the leading cause of the incident and could potentially lead
to future incidents. To be compliant with the many regulations and laws that govern MOVEIt,
there should have been internal controls and procedures in place that would have either
prevented the SQL injection from happening or been able to detect the unauthorized threat
actors. Another huge miss for MOVEIt was that one of the core requirements for compliance
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
6
Final Project Submission
is the encryption of data not only in-transit, but at rest. The robust encryption standards
imposed by laws and regulations would have made the data that was stolen, pointless to have.
“Organizations must conduct regular audits and implement robust monitoring
mechanisms to identify potential vulnerabilities, breaches, or suspicious activities. Auditing
helps organizations maintain compliance by detecting and addressing security gaps before they
can be exploited.” (Spencer, 2023) This has been a compliance requirement that has not changed
in decades. If the proper auditing (this also includes penetration testing) of the organization
would have been being conducted to be compliant with regulations, this SQL injection would
have been patched before it could have ever happened.
Societal and Culture Impact
Noting these compliance issues that were outlined, there was not targeting of specific
demographic groups, victimization of certain customers, and so on. This was mainly just a
failure of compliance to the laws and regulations that govern MOVEIt to ensure the
safeguarding of all sensitive data. However, this breach itself impacted over 600 other
organizations and 40 million people worldwide. These organizations were not specifically a
target, their data being leaked was simply just the aftermath of careless mistakes in
cybersecurity safeguards made on the behalf of MOVEIt. The type of information that was
leaked was very sensitive, such as social security numbers, bank account routing/account
numbers, and addresses (just to name a few). The impact of this breach could be extended for
years before we see the real damage of this kind of information being leaked. Clop (the threat
actors) requested ransoms for all the information that was exploited, in which some
organizations paid, and some did not. This could lead to the information of certain individuals
being sold and exposed because of the compliance issues.
7
Final Project Submission
Incident Impact
Regulations
Often it takes the impact of an incident to lead to changes within laws and regulations.
Although this data breach was this biggest of 2023, there has been no direct changes on legal
IT regulations. On a more ethical level, this incident was a huge eye opener for organizations
in ever industry when it comes to how sensitive information is handled, data retention, and
third-party vendor management. For the 600 organizations that were victims of the MOVEIt
data breach, these three topics have become a spearhead in considering how data is handled.
Standards
As technology grows so do the threats in the digital landscape. In previous years,
documents were transferred simply by mailing or delivering a piece of paper. However,
advancements in technology have introduced new threats and the need for a new way to
combat threats. Industry standards have had to evolve over the years to keep up with emerging
threats. Without adhering and acknowledging the industry standards/regulations, we see what
can happen to companies like MOVEIt. Simply put, if MOVEIt would have aligned to
industry standards and regulations, the incident could have been prevented. MOVEIt is
specific in nature, because it is not limited to conducting business with just one type of
industry. This data breach is essentially too fresh in nature for laws and regulations to have
changed yet because of the breach.
Frameworks such as the National Institute of Standards and Technology (NIST) and
International Organization for Standardization (ISO 27001) outline regulations for safeguards
that should be in place within an organization to prevent the data leaks and cyber-attacks. That
being said, it is important for all organizations, MOVEIt included, to follow these frameworks
to ensure the proper controls are put in place. Some of these preventative, technical, and
8
Final Project Submission
preventative controls include encryption at-rest and in-transit, annual security awareness
training, and intrusion detection systems installed on endpoints. All of which, are standards
that every organization should be following.
Cultural Impact
Like any data breach that has ever happened in history, the MOVEIt breach cause
severe financial and reputational damage. One of the most hard-hitting consequences of any
data breach can be the amount of money that was spent trying to compensate the affected
customers, investigating the breach, and legal fees. “
Based on the number of confirmed
individuals affected,
the cost of the MOVEit incident stands at approximately
$9,923,771,385
.
However, considering not all victims have reported the number of individuals
impacted, the potential cost could escalate to around $65,440,204,950.” (Ernalbant, 2023)
MOVEIt now faced many class action lawsuits because of the SQL Injection vulnerability. These
lawsuits entail context that MOVEIt managed file transfer failed to identify the vulnerability that
had been present in the software since at least 2021.
When an organization is exposed for carelessly not patching a vulnerability that could
have been address two years before threat actors were able to take advantage of it, the
organization will suffer from reputational damage that can be devastating for a business. In the
case of the MOVEIt data breach of 2023, the organization has seen a drastic reduction in
customers. Of the 600 other organizations that were impacted by this vulnerability, most of them
have started to explore other options for their file transfers. Individuals and organizations are
starting to see the value and importance in the protection of sensitive personal information and
sensitive company information. This leaves users no choice but to take security more seriously.
This data breach has changed the way not only companies but also individuals look at the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
9
Final Project Submission
security of using a managed file transfer and how important staying up to date in your internal
infrastructure is.
Recommendations
Organizational Changes
There is no such thing as one hundred percent security, and unfortunately it is not about
if
a company gets exploited, it is
when
a company gets exploited. Zero-Day Vulnerabilities are one
of the most dangerous threats when it comes to the cybersecurity posture of an organization. This
is exactly what happened with the MOVEIt breach of 2023. Relevant changes within the
organization could have prevented the incident and prevented the occurrence.
Both internal and external Penetration Testing is vitally important to any organization. It
can expose weaknesses within an organization’s internal infrastructure or code that can be caught
before a threat actor is able to exploit the weakness and take advantage of the open door.
Penetration Testing can simply pick out any open backdoors or misconfigurations, essentially
exploiting them first. Should external/internal penetration testing have been being completed, the
probability of the SQL Injection Zero-Day Vulnerability exploited in this case would have been
mitigated long before the breach occurred.
Ensuring that the proper network monitoring tools, such as Intrusion Detection Systems
(IDS) and Intrusion Prevention Systems (IPS) are in place help to monitor network
environments. These systems can often determine if there is any abnormal behavior in network
patterns, in turn exposing if there is a threat actor invading on your network. Should MOVEIt
had the proper systems in place to monitor network behavior, the threat actor could have been
exposed long before any sensitive company and personal information was exposed.
10
Final Project Submission
Ethical Guidelines
Practicing ethical guidelines could have helped prevent
this
incident as well as any future
incidents. Standards of cybersecurity help to mitigate the risk of exposure of the sensitive
information that flows through an organizations network. Penetrating Testing is a basic level of
cybersecurity, as it tests every backdoor a threat actor can use to expose an organizations data.
Should MOVEIt been following the framework of System and Organization Controls (SOC),
Penetration Testing would have been being completed annually, at a minimum.
Ethical standards and guidelines of MOVEIt that could have helped prevent the breach
could also be extended to having the proper technical controls in place that will monitor
abnormal network behavior. As stated above, monitoring a network would have set off alarms
that there were threat actors within the internal network. This guideline too was set forth by a
framework, that we see was not in place.
Of all things stated, these regulations and frameworks were in place while and during the
MOVEIt data breach. This breach happened earlier this year (2023), and the governing
regulations have not changed since then. This breach was simply a result of the lack of adhering
too and setting fourth governing laws, regulations, and frameworks in place to protect data.
Global Considerations
International Compliance
11
Final Project Submission
The impacts of the MOVEIt breach of 2023 were felt all over the world. The 600
companies and almost 40 million individuals were not limited to only the United States, but
globally. The threat actors known as
CLOP
were known as an international hacker group.
International compliance standards, both at the time of the incident and today, are important to
the incident as MOVEIt is a globally distributed Managed File Transfer (MFT) service. This
enhances the need for advanced compliance standards. Due to the nature of the services
provided, the way that data is managed and protected is defined by compliance standards such as
General Data Protection Regulation (GDPR), Service Organization Controls (SOC 1 and SOC
2), Health Insurance Portability and Accountability Act (HIPPA), and International Organization
for Standardization 27001 (ISO 27001). All these international compliance standards are relevant
to the incident, as they all outline the proper ways to protect information, emphasis on the
changes outlined above that should have already been being followed by MOVEIt to prevent the
incident.
Cultural Impacts
The impact of the
incident reached all around the world. The way organizations view the
Managed File Transfer (MFT) providers that they have selected to send sensitive documents has
been in the spotlight since this breach. A lot of companies have stopped using MOVEIt and
considered other companies with more ethical, standardized security controls in place to prevent
their information from being exploited again. The ripples of this breach have cause organizations
to take cybersecurity more seriously, as we were able to see how simply the breach of one
organization (MOVEIt) can affect hundreds of other organizations and millions of individuals.
Global Technology Environment
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
12
Final Project Submission
Based on my research and analysis of this case, there was no direct impact on global legal
and regulatory standards that govern this type of organization. The laws, regulations, standards,
and frameworks were already in place long before this case. It was simply a lack of compliance
to the mentioned that caused this breach. However, there is a direct relationship between this
case and how serious organizations started to take the security controls of their third-party
vendors.
Summary
Through the application of cyberlaw principles and legal compliance standards outlined
in this case analysis, the MOVEIt breach would have never happened. Simply put, there was a
lack of consideration for alignment of frameworks set forth to ensure the proper safeguarding
of sensitive data. Lack of penetration testing (which is identified via the ISO 27001 framework
and a SOC 2 Type 2 Report) would have exposed the weakness in code before it was able to
have been exploited. Running Intrusion Detection/Intrusion Prevention Systems internally on
the network would have notified IT Security Staff that there was an attacker hanging out and
exfiltrating data before
CLOP
would have been able to expose so many people. The principles
and compliance standards aren’t of great magnitude to enforce but have a huge impact when
an attack occurs.
13
Final Project Submission
Citations
Ernalbant, Yağmur. “Top 10 Facts about Moveit Breach.”
SOCRadar® Cyber Intelligence Inc.
,
14 Sept. 2023, socradar.io/top-10-facts-about-moveit-breach/#:~:text=According%20to
%20TechCrunch%2C%20while%20it%27s,incident%20stands%20at%20approximately
%20%249%2C923%2C771%2C385.
“Internet Fact Sheet.”
Pew Research Center: Internet, Science & Tech
, Pew Research Center, 7
Apr. 2021, www.pewresearch.org/inthttps://www.pewresearch.org/internet/fact-
shhttps://www.pewresearch.org/internet/fact-shehttps://www.pewresearch.org/internet/fact-
sheet/internet-broadband/et/internet-broadband/eet/internet-broadband/ernet/fact-
sheet/internet-broadband/.
Najarro, Kenny. “Moveit Hack: The Ransomware Attacks Explained.”
Kolide
,
www.kolide.com/blog/moveit-hack-the-ransomware-attacks-explained. Accessed 13 Oct.
2023.
Outpost24. “The MOVEIT Hack and What It Taught Us about Application
Security.”
BleepingComputer
, BleepingComputer, 22 Aug. 2023,
www.bleepingcomputer.com/news/security/the-moveit-hack-and-what-it-taught-us-about-
application-security/#:~:text=The%20vulnerability%20was%20related%20to,it%20in
%20an%20automated%20way.
Page, Carly. “Moveit, the Biggest Hack of the Year, by the Numbers.”
TechCrunch
, 25 Aug.
2023, techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/?
guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_si
g=AQAAAI0zT6yMxtkw4K7tja4k_MvXxn-
qyyO95ynfboBRZo1rb1mFtBEk_5eAJqGHAG6VyXxttEqxx4S-s3i7aZ_SKrzVB-
PGGLK4_CqfPpe5zdAhhkp6oGgX4yN87OA_JvPb2BNv7upZ3W_fWUQEhZB5axC76z
TitI3yaW7VRz09efMW.
Spencer, Patrick. “10 Best Secure File Transfer Practices for Regulatory
Compliance.”
Kiteworks
, 20 Sept. 2023, www.kiteworks.com/secure-file-transfer/secure-
file-transfer-ten-best-secure-file-transfer-practices-regulatory-compliance/.
“The Facts: CISA.”
Cybersecurity and Infrastructure Security Agency CISA
, www.cisa.gov/be-
cyber-smart/facts. Accessed 29 Sept. 2023.
14
Final Project Submission
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help