Aon's suspected MOVEit breach | Triple DES recommendation withdrawn
CyberInsights #101 - Payroll data hit | Finally, NIST withdraws recommendation of 3DES
It’s time to MOVEit. Files
Supply Chain attacks are not easy to monitor. They are not on your risk register!
What’s the most transferred data on a file transfer suite of products? Payroll Data!
If you got that right, you are already aware of the series of news articles on the MOVEit file transfer suite.
In the most recent breach, Dublin Airport’s payroll data, handled by Aon was allegedly compromised due to the, now famous, bugs in MOVEit suite of products.
Read this post of The Register to understand more. The MOVEit breach has impacted 122 organisation and 15 million people!
Some of the other prominent MOVEit breaches are:
US Department of health and human services.
So much so, that MOVEit maker Progress Software was hit with a class action suite.
We spoke of MOVEit a few posts ago:
Take Action:
Two key action items:
Review your supply chain software - is your HR team using MOVEit to send payroll data to a vendor for processing? If so, evaluate the security of the process and the tools used in the supply chain
Then, the standard - vendor risk assessment.
If you are a cyber underwriter - consider accumulation of risk when you underwrite companies like Progress Software that handle sensitive data of multiple customers.
NIST withdraws 3DES algorithm
The NIST 800-67, doing duty since 2017 has been removed
NIST is sunsetting the 3DES recommendation. The standard was published in 2004 and last revised in 2017.
This recommendation will be withdrawn effective from Jan 1, 2024.
3DES with its 56 bit key has been vulnerable to brute force for a while.
Take Action:
If you are still using 3DES for any application in your organisation - and you are the CISO - it is best that you choose another profession. 3DES has been out of favour since 2015-2016.
While you are at it, you might as well do a sanity check on all the encryption algorithms in all the systems in use in your organisation. Those pesky OT encryptions generally slip under the radar.