7-2 Milestone Three
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
659
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
5
Uploaded by CountWildcatMaster7
Hanah Deering
IT 659 | Cyberlaw and Ethics
7-2 FINAL PROJECT MILESTON
E THREE
Recommendations and Global Considerations
Recommendations
Organizational Changes
There is no such thing as one hundred percent security, and unfortunately it is not about if
a company gets exploited, it is when
a company gets exploited. Zero-Day Vulnerabilities are one of the most dangerous threats when it comes to the cybersecurity posture of an organization. This
is exactly what happened with the MOVEIt breach of 2023. Relevant changes within the organization could have prevented the incident and prevented the occurrence.
Both internal and external Penetration Testing is vitally important to any organization. It can expose weaknesses within an organization’s internal infrastructure or code that can be caught before a threat actor is able to exploit the weakness and take advantage of the open door. Penetration Testing can simply pick out any open backdoors or misconfigurations, essentially exploiting them first. Should external/internal penetration testing have been being completed, the
probability of the SQL Injection Zero-Day Vulnerability exploited in this case would have been mitigated long before the breach occurred. Ensuring that the proper network monitoring tools, such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are in place help to monitor network environments. These systems can often determine if there is any abnormal behavior in network patterns, in turn exposing if there is a threat actor invading on your network. Should MOVEIt had the proper systems in place to monitor network behavior, the threat actor could have been exposed long before any sensitive company and personal information was exposed.
Ethical Guidelines
Practicing ethical guidelines could have helped prevent this
incident as well as any future incidents. Standards of cybersecurity help to mitigate the risk of exposure of the sensitive information that flows through an organizations network. Penetrating Testing is a basic level of cybersecurity, as it tests every backdoor a threat actor can use to expose an organizations data. Should MOVEIt been following the framework of System and Organization Controls (SOC), Penetration Testing would have been being completed annually, at a minimum. Ethical standards and guidelines of MOVEIt that could have helped prevent the breach could also be extended to having the proper technical controls in place that will monitor abnormal network behavior. As stated above, monitoring a network would have set off alarms that there were threat actors within the internal network. This guideline too was set fourth by a framework, that we see was not in place. Of all things stated, these regulations and frameworks were in place while and during the MOVEIt data breach. This breach happened earlier this year (2023), and the governing regulations have not changed since then. This breach was simply a result of the lack of adhering too and setting fourth governing laws, regulations, and frameworks in place to protect data. Global Considerations
International Compliance
The impacts of the MOVEIt breach of 2023 were felt all over the world. The 600 companies and almost 40 million individuals were not limited to only the United States, but globally. The threat
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
actors known as CLOP
were known as an international hacker group. International compliance standards, both at the time of the incident and today, are important to the incident as MOVEIt is a
globally distributed Managed File Transfer (MFT) service. This enhances the need for advanced compliance standards. Due to the nature of the services provided, the way that data is managed and protected is defined by compliance standards such as General Data Protection Regulation (GDPR), Service Organization Controls (SOC 1 and SOC 2), Health Insurance Portability and Accountability Act (HIPPA), and International Organization for Standardization 27001 (ISO 27001). All of these international compliance standards are relevant to the incident, as they all outline the proper ways to protect information, emphasis on the changes outlined above that should have already been being followed by MOVEIt to prevent the incident. Cultural Impacts
The impact of the incident reached all around the world. The way organizations view the Managed File Transfer (MFT) providers that they have selected to send sensitive documents has been in the spotlight since this breach. A lot of companies have stopped using MOVEIt and considered other companies with more ethical, standardized security controls in place to prevent their information from being exploited again. The ripples of this breach have cause organizations
to take cybersecurity more seriously, as we were able to see how simply the breach of one organization (MOVEIt) can affect hundreds of other organizations and millions of individuals. Global Technology Environment
Based on my research and analysis of this case, there was no direct impact on global legal and regulatory standards that govern this type of organization. The laws, regulations, standards, and
frameworks were already in place long before this case. It was simply a lack of compliance to the
mentioned that caused this breach. However, there is a direct relationship between this case and how serious organizations started to take the security controls of their third-party vendors.