Connecting state and local government leaders
A Colorado health department said recently more than 4 million patients’ data had been accessed. But the real challenge awaits state and local governments as they look to patch vulnerabilities before more criminals exploit them.
It has been over two months since a Russian ransomware gang started exploiting flaws in the file transfer software MOVEit and attacked hundreds of government agencies, universities and corporations.
The exploitation led to chaos as several states saw agency services knocked offline and their residents’ personal information like names, Social Security numbers and driver’s licenses exposed.
The damage has been vast. In the days following the cyberattacks, state and local agencies began notifying those affected by the breaches. In Louisiana and Oregon, more than 8 million residents’ personal DMV data was exposed. In California, the information of more than a quarter of a million retirees and beneficiaries was stolen from the state’s pension system.
And just last week, Colorado and Missouri revealed breaches of their own. The Colorado Department of Health Care Policy & Financing said the data of more than 4 million patients had been exposed in the breach. The Missouri Department of Social Services did not specify how many residents could be impacted.
All told, researchers at antivirus software company Emsisoft estimate that as of Aug. 12 more than 660 organizations and 46 million individuals have been affected worldwide by the MOVEit exploitation. There will likely be more agencies impacted in the next several weeks and months as state and local governments continue to investigate the massive breach. But the real challenge for states and localities is still ahead.
Most states are currently focused on offering remediation services to their residents. The Illinois Department of Innovation & Technology established a dedicated call center and credit monitoring for the approximately 390,000 individuals affected in the state. Agencies in Louisiana, Minnesota, Missouri and Oregon issued warnings that residents’ data had been breached and offered guidance on additional steps individuals could take to protect their identities.
But the onus is now on agencies to address the vulnerabilities in their systems. Progress Software, the company behind MOVEit, last month released patches for the flaws in its software. Those patches need to be downloaded and installed, but experts say the task of doing so may slip down the pecking order.
“A lot of IT security is simply a maintenance problem, either patching applications, or making sure that your security infrastructure is in place and working as expected,” said Peter Firstbrook, a research analyst at Gartner. “It's complicated for the average organization, they've got a lot of priorities, and they just don't always get the messaging that you need to do it.”
The other issue with installing these patches, Firstbrook said, is that the MOVEit system is often buried in other applications and projects, so users like agency personnel are not “necessarily aware that it's a component part of their infrastructure.” Indeed, Emsisoft’s researchers noted that this vulnerability shows the need for organizations to pay attention to the security of their entire software supply chain.
It can be difficult to shift employees’ and leaders’ mindsets to make them appreciate the importance of regular patches and updates, however.
“There's still this [mentality of], ‘I don't need to protect myself, because I'm never going to get attacked, or I've never gotten attacked, so why should I bother?’” said Richard Hummel, a senior threat intelligence manager at NETSCOUT. “Until it's real for you, a lot of people have that mentality, unfortunately.”
The issue of unsecure software is only likely to increase, Firstbrook warns, especially as around a quarter of technology spending is done by departments whose primary focus is not on technology but other business processes.
This decentralized approach could result in a “nightmare” from a security perspective as “we don't even know who's buying what and what vulnerabilities it has or even what configuration it has,” Firstbrook said. The technology likely is not interoperable or standardized, he adds, meaning governments are forced to spend more on security tools to keep sensitive data safe.
By utilizing software tools that help integrate multiple security products to provide a more holistic view of threats and an organization’s attack surface, agencies could begin to address vulnerabilities, Firstbrook said.
Emsisoft researcher Zach Simas warns that it is “only a matter of time” before copycat attacks, making it vital for organizations to get serious about securing their entire technological supply chain, including their software.