Emerging technologies in the IT landscape have made risk management an indispensable aspect of modern organizations. 随着数字革命有增无减,网络风险的幽灵比以往任何时候都更大. A prime example that epitomizes the threats faced in an increasingly interconnected world is the recent global hacking campaign1 目标是MOVEit Transfer,一个广泛使用的文件传输软件.
MOVEit Transfer is a popular tool among organizations to whom the secure transfer of sensitive information is paramount. 该软件通常用于共享敏感数据, 包括银行贷款申请的财务记录. 然而,MOVEit Transfer最近成为了广泛的全球黑客活动的焦点. 美国能源部(DOE)和其他几个美国联邦机构都是受害者. 2个能源部实体的数据遭到泄露:橡树岭联合大学(田纳西州), 美国)和废物隔离试验工厂(WIPP)(卡尔斯巴德, 新墨西哥, 美国), 处置与国防有关的核废料的设施. 英国能源巨头壳牌, 佐治亚大学系统(亚特兰大, 乔治亚州, 美国)和约翰霍普金斯大学(巴尔的摩), 马里兰, 美国) were also among the entities whose systems were infiltrated through the MOVEit Transfer software. 与俄罗斯有关联的勒索组织Cl0p声称对此次黑客攻击负责.2 It exploited a security flaw in the MOVEit Transfer software that was discovered only a month earlier by Progress Software, MOVEit Transfer的制造商.
MOVEit Transfer事件鲜明地提醒了人们IT风险的多面性. 它强调了管理各种It风险来源的重要性, 包括安全漏洞和数据泄露, 理解法规遵从性.
安全漏洞
黑客活动利用了MOVEit Transfer软件的一个已知漏洞. This illustrates the importance of identifying and patching software vulnerabilities as a key aspect of IT risk management. Unpatched software is essentially an open door that cybercriminals can use to enter an organization's network. 持续监控和及时修补应该是关闭任何安全漏洞的首要任务.
Unpatched software is essentially an open door that cybercriminals can use to enter an organization's network.
数据泄露
这次泄密事件影响深远. 对于像DOE这样的实体, 负责管理美国核基础设施和能源政策的机构, 和壳牌, 哪个国家拥有全球能源利益, 与数据泄露相关的风险是巨大的. 数据泄露可能导致敏感信息的丢失, 这可能会影响澳门赌场官方下载的竞争地位甚至国家安全. 保护敏感信息的重要性不容低估. 使用加密, network segmentation and monitoring access to sensitive information are key strategies for mitigating this risk.
法规遵从性
涉及MOVEit Transfer违规的实体也面临监管合规风险. 不遵守数据保护法可能会导致严厉的处罚和声誉损害. 因此, organizations should ensure that they have a thorough understanding of the legal and regulatory requirements applicable to their industries and that they are in compliance with such standards.
降低IT风险的策略
处理IT风险的复杂性和严重性, 组织必须采用多管齐下的方法进行IT风险管理. 这应该包括定期进行IT风险评估,以识别和评估风险. Standards such as the International Organization for Standardization (ISO) standard ISO 27001 may also be used to standardize and guide organizational cybersecurity efforts.
处理IT风险的复杂性和严重性, 组织必须采用多管齐下的方法进行IT风险管理.
以下IT风险领域绝不是控制的详尽列表, 而是, 常见的缺口是否需要特别注意.
第三方风险管理
定期评估第三方供应商的安全状况是至关重要的. 在MOVEit的案例中,第三方软件成为了漏洞的门户. 执行严格的供应商评估和监控供应商是必不可少的.
供应商安全评估
Conduct comprehensive security assessments of vendors to evaluate their security practices and ensure that they align with organizational standards.
合同协议
在与供应商签订的合同中加入安全条款, 确保他们有义务遵守安全最佳实践.
持续的监控
Maintain ongoing monitoring of third-party vendors to observe any security incidents or changes in their security postures.
云安全
如果使用云服务, enterprises should ensure that the shared responsibility model is understood and utilized and that cloud configurations are secure. 定期监视和审计云环境非常重要.
理解共同责任模型
The shared responsibility model delineates the security obligations of a cloud service provider and the user. 提供商负责云的安全性, 而用户对云中的安全负责. 用户必须保护他们的数据、应用程序和凭证.
云配置管理
Periodically review and manage cloud configurations to ensure that security settings align with best practices.
访问控制
Implement strict access controls to cloud environments to minimize the risk of unauthorized access.
持续漏洞管理
Organizations are advised to employ continuous monitoring for vulnerabilities and apply patches and updates promptly. 这不仅仅是关于识别漏洞, 但也要及时缓解, 这有助于减少黑客的机会之窗.
定期扫描
定期扫描系统和应用程序的漏洞.
补丁管理
为系统和应用程序部署补丁和更新创建系统方法.
风险评估
Assess the risk associated with identified vulnerabilities and prioritize patches based on risk levels.
数据加密和安全传输
敏感数据应该加密,无论是静态数据还是传输数据. 除了, 采用安全的文件传输协议,确保在数据被截获的情况下, 信息是安全的.
加密算法
使用强大的加密算法保护敏感数据.
密钥管理
妥善管理加密密钥,确保只有经过授权的个人才能解密数据.
安全传输协议
Use secure transfer protocols such as Secure File Transfer Protocol (SFTP) or Hypertext Transfer Protocol Secure (HTTPS) for transmitting sensitive data.
频繁的备份
数据应该定期备份,组织必须确认这样的备份是安全的. This ensures that data can be restored from a secure source in the event of data loss through a cyberincident.
备份计划
建立定期备份计划,确保数据的一致性备份.
备份加密
加密备份以增加额外的安全层.
备份测试
经常测试备份,以确保数据可以有效地恢复.
员工培训和意识
员工往往是安全保障中最薄弱的环节. Conducting training and awareness programs regularly can ensure that staff recognize the signs of a breach or phishing attempt and know how to respond.
安全意识计划
Implement security awareness programs that educate employees on the latest cyberthreats and best practices.
网络钓鱼模拟
进行网络钓鱼模拟,测试员工识别网络钓鱼企图的能力.
明确的报告程序
建立明确的程序报告可疑的安全事件.
事件应变计划
一个精心制定的事件响应计划是不容置疑的. This ensures that the organization can quickly and effectively respond to an incident and mitigate damage.
事件应变小组
建立一个专门的事件响应小组,负责处理安全事件.
反应过程
针对不同类型的事故制定详细的应对程序.
定期演练
组织应该定期进行涉及IT部门的事件响应演练, cybersecurity team and other relevant units to ensure comprehensive preparedness for any security incidents.
法律法规遵从性
组织必须确保他们符合所有适用的法律法规. 这包括理解和遵守数据保护法规.
理解规定
澳门赌场官方下载s must be able to comprehend the legal and regulatory requirements relevant to their industries and locations.
数据保护政策
Develop and implement data protection policies that comply with regulations such as the EU General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA).
定期审计
定期进行审计以确保符合法律法规要求.
结论
The MOVEit Transfer incident offers a valuable lesson in the importance and complexity of IT risk management. Through the lens of this event, it becomes clear that organizations must be vigilant and proactive. 采用多方面的方法,包括持续监测, 员工培训, 遵守法规, 和协作, 组织可以在IT风险的危险水域中航行. 在数据是新石油的时代,确保数据的安全至关重要. 正如美国教授、计算机科学研究员吉恩·斯帕福德所说,唯一真正安全的系统是关闭电源,铸造成 一堆混凝土,密封在一间有武装警卫的铅衬房间里.”3
在现实中,系统必须是活跃的. 关键是要确保它们尽可能安全. IT风险不仅仅是一个IT问题——它是一个业务关键优先级. Today’s leaders must foster a culture of cybersecurity awareness and ensure that robust systems and protocols are in place. 当我们在这个数字时代锐意进取时, let us do so with the wisdom and lessons gleaned from past incidents and the resolve to build a more secure future.
尾注
1 机构、G.S.; “美国能源部和其他机构遭到黑客攻击,” 《澳门赌场官方软件》 2023年6月16日
2 网络安全和基础设施安全局(CISA),”CISA和FBI发布CL0P勒索软件团伙利用MOVEit漏洞的公告,美国,2023年6月7日
3 普渡大学.edu。”可引用的Spaf, 2022年8月4日
迈克·布特维尔, CISA, CGEIT, CISSP, ISO 27001 SLI/SLA, ISO 27031 SLCM, ISO 38500 SLITCGM
是在该领域拥有超过15年经验的资深网络安全专业人员吗. 他曾在思科、AT等领先组织担任重要职务&T, IBM, Kyndryl, First Data和Euroclear. Boutwell’s expertise spans from IT risk management to executive leadership and he has been instrumental in securing assets worth over US$1 quadrillion and delivering projects valued over US$100 million. 作为自己的网络安全咨询公司的创始人, 他的任务是引导200人,000个人的第一份信息安全工作. He has developed a career accelerator program to assist aspiring professionals in landing their first cybersecurity roles. 另外, 鲍特维尔是早期软件即服务(SaaS)初创公司的顾问, 帮助他们改进安全策略. He has authored publications including "The Ransomware Handbook" and "Profit-Driven 网络安全.他对这一领域的贡献得到了美国艺术学会(AT)等奖项的认可&T连接奖. 想要进一步了解和联系Boutwell,请访问他的个人网站 http://www.mikeboutwell.com 或者他 LinkedIn的资料 at http://www.linkedin.com/in/mikeboutwell.
