Higher Education One Year After MOVEit: Lessons Learned and Evolving Vendor Risk Management

One year ago, a critical zero-day vulnerability (CVE-2023-34362) in MOVEit, a popular managed file transfer (MFT) solution, sent shockwaves through the Higher Education (HE) community. Exploited by the Cl0p ransomware gang, this vulnerability allowed attackers to inject SQL commands and access MOVEit customer databases, potentially leading to significant data breaches. It opened up the discussion about vendor risk management. 

This incident served as a stark reminder for HE institutions: the supply chain can be a major attack vector. Traditional vendor reviews, while valuable, may not always identify all security risks. This article explores the MOVEit vulnerability, its impact on HE, and the evolving landscape of vendor risk management.

The MOVEit Vulnerability and Its Impact

The MOVEit vulnerability affected all versions, both on-premises and cloud-based. This broad reach made it especially concerning for higher education institutions relying on MOVEit for secure file transfer. The number of class action lawsuits keeps climbing as do the costs associated with recovering from the breach according to a recent article by Cybersecurity Dive. 

It is no coincidence that FortifyData platform helps higher education institutions automate cyber threat assessments, contextualize risks for prioritization, and evaluate vendor cyber risks to make cybersecurity risk. 

In fact, we made a webinar to show how this works. You can check it below!

EDUCAUSE Demo Day: Cybersecurity Tools

Back to the subject of the vulnerability, the exploit allowed attackers to steal sensitive data, potentially compromising student records, financial information, and research data, even the National Student Clearinghouse communicated with affected Universities and students that were impacted.

Limitations of Traditional Vendor Reviews

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is an industry-specific vendor review questionnaire. However, the MOVEit case demonstrates that questionnaires alone might not be sufficient. Answers to HECVAT questions may not always reveal underlying security weaknesses.

As reported on InsideHigherEd, with some additional updates worth reading, “cybersecurity spending is increasing at Universities and Colleges, but it may not be enough”.

Evolving Vendor Risk Management Strategies

In response to the MOVEIT incident, HE institutions, along with organizations across industries, are implementing more comprehensive vendor risk management strategies. These strategies go beyond questionnaires and include:

    • Periodic Attack Surface Assessments: Regularly assessing your attack surface, including vendor-provided software, helps identify and address security vulnerabilities.

    • Code Reviews: Code reviews of vendor software can uncover potential security flaws that might not be readily apparent.

    • Third-Party Risk Management Programs: Developing a robust third-party risk management program that goes beyond questionnaires provides a more holistic assessment of vendor security posture.

Could Software Bill of Materials (SBOMs) help on vendor risk management?

Requesting SBOMs from vendors provides a detailed inventory of the software components used in their products. This transparency helps assess potential risks associated with open-source dependencies and other components. 

However, there is lack of education at some vendor organizations as to what an SBOM is, and how they would be able to accurately account for the inventory of various pieces of code to continually provide a reliable SBOM.

What Our Customers Have Done

Fortify Data’s customers have increased their vigilance on both their external attack surface and internal risk assessments to continuously provide visibility to various technology connections within the network and those that communicate outside of it.

Additionally, extra scrutiny of third-party relationships or a third-party risk management program that goes beyond a questionnaire is starting to happen. Last June, the GLBA Safeguards Rule expanded to now include higher education institutions and one of the requirements is the continuous evaluation of vendor/third parties (314.4 Safeguards Rule). Depending on how MoveIT was implemented it could have been detected as an external finding, an internal finding or a connected third-party software to their cloud service.

The Importance of Vendor Risk Management

The widespread adoption of MOVEit, partly due to its PCI compliance, highlights the importance of looking beyond surface-level qualifications. Institutions should conduct thorough security assessments throughout the vendor selection process. 

Furthermore, it is very important that cybersecurity is in accordance with the institution’s compliance requirements.

If you want to know more about the subject, we recommend the material below!

Lessons Learned and Moving Forward

The MOVEit incident underscores the need for:

    • Accurate Vendor Inventories: Higher Education institutions need a comprehensive inventory of their vendors and the data each vendor has access to. This facilitates rapid response and isolation in case of vulnerabilities.

    • Nth-Party Risk Awareness: Understanding the interconnectedness of vendors and service providers is crucial. Knowing how many other institutions use the same vendor helps facilitate information sharing and collective action during security incidents.

The MOVEit vulnerability served as another wake-up call. By implementing a multi-layered approach to vendor risk management, higher education institutions can better protect their data and ensure a more secure ecosystem.

We have a case study focused on an educational institution! Find it out how Pima Community College strengthened its attack surface management with FortifyData!

More content