Here Is Why The Recent Cyber Attacks Have Been So Bad

Image for post
Image for post
Photo by Tima Miroshnichenko from Pexels

SolarWinds: A Legendary Breach

It isn’t uncommon for a Cybersecurity professional to be kept up at night. With a constant onslaught of security threats and emerging vulnerabilities, the field of information security is not for those who are prone to worry. As the President and CEO of The Penn Group, I’ve seen my fair share of events that have made me reach for the panic button. But the recent attacks on the federal government and private industry elevates beyond anything many of us in this industry have ever seen. To get a glimpse of how serious these attacks are, how vulnerable we still are, and how it was done, we have to break down a few specific facts.

What happened?

As details continue to emerge/leak, it is still unclear how far reaching this attack was/is. In simple terms, it was bad. Really bad. According to Tomas Bossert, in his New York Times Op-Ed, “the magnitude of the hack is hard to overstate.” Tomas Bossert was a US Homeland Security Advisor to President Trump. The number of organizations effected is estimated to be between 425 of the Fortune 500 or up to 18,000 companies.

We all suck at security

One of the biggest challenges with information security is, from a technical standpoint, you have to have a way to secure your infrastructure with hundreds of thousands of devices under management. In order to manage all of the devices on your network there has to be a way to manage all of devices. Otherwise, you’d need a literal army of people clicking buttons on every endpoint, which isn’t practical or secure. Through a combination of tooling and processes, organizations implement security programs based on frameworks that are designed to standardize the security implementation within their organization.

The plain reality is simple: we suck at security.

We All Suck At Security

From the enterprise to a small business. From a local municipality to the United States as a nation, our cybersecurity practices are exceedingly bad. The problems with our security posture are well documented:

The Lack of US Federal Regulation

As of 2021, there are only a few industries that have specific security regulations that must be followed. Cybersecurity is exceedingly challenging to implement. Cybersecurity is unreasonably expensive, the talent doesn’t exist, and most of our policy makers writing our laws have little to no understanding what a bit or a byte is. As of this writing 38 states are considering some sort of security legislation, but the vast majority of those states are considering privacy focused legislation. This approach fragments the information security guidance that organizations must follow, which prioritizes compliance over security. It is time for the Federal Government to step up and implement a baseline standard for information security implementation that scales with organizational size and risk. Otherwise, there will never be sufficient consequences to convince business leaders to act on strong security.

Trust but Kind of Verify

Although a cybersecurity law at the national level would help standardize security implementation across organizations big and small, events like the SolarWinds breach will continue to happen. Information security, no matter how much money or time you put into it, isn’t perfect. Until then, we must refer to the old adage “Trust, but Verify”. This is typically said at the leadership level, in relation to making assumptions. From an information security standpoint, too often the policy is trust but kind of verify. The problem is: it is just too difficult to fully validate one’s security practices. The SolarWinds breach was a supply chain breach. Security for thousands of companies was placed in the hands of a third party, which was ultimately breached. Who is responsible for this? Is it SolarWinds? Or is it the management processes and validation of vendor security?

The SolarWinds Breach Is A Wakeup Call To Anyone Using Cloud

With the majority of organizations shifting their computing to the cloud, the security of major cloud vendors will become more important than ever. As evidenced by the Office 365 component of this breach, the notion that the cloud is more secure is fading. Organizations must begin to choose, for the first time, to vertically integrate their information technology one again. The long term consequences of supply chain security may force organizations to transition their assets to a private cloud model.

Keep on Checking the Box

Ultimately, information security professionals will continuously implement security up to the point of the limitations of their resources. For many organizations, that is simply their goal. It is one thing to say that you do information security. It is an entirely different level of cost and dedication to implement security with excellence, something my company The Penn Group values. Most organizations simply opt to checking the box, which results in breaches becoming more severe and more common. The tension between checking the box and defending the organization will continue to pull, and in 2021, we may see that pull begin to twist its way into collateral damage into other organizations, as we’ve seen with the SolarWinds breech.

Age of Awareness

Stories providing creative, innovative, and sustainable…

Sign up for Age of Awareness - Rethinking the ways we learn

By Age of Awareness

Stories providing creative, innovative, and sustainable changes to the ways we learn  Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Austin Harman, CISSP

Written by

An experienced cybersecurity leader serving as the President & CEO of The Penn Group. I hold the CISSP, CCSP, CAP, and Security+ certifications.

Age of Awareness

Stories providing creative, innovative, and sustainable changes to the ways we learn

Austin Harman, CISSP

Written by

An experienced cybersecurity leader serving as the President & CEO of The Penn Group. I hold the CISSP, CCSP, CAP, and Security+ certifications.

Age of Awareness

Stories providing creative, innovative, and sustainable changes to the ways we learn

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app