SolarWinds: A Legendary Breach
It isn’t uncommon for a Cybersecurity professional to be kept up at night. With a constant onslaught of security threats and emerging vulnerabilities, the field of information security is not for those who are prone to worry. As the President and CEO of The Penn Group, I’ve seen my fair share of events that have made me reach for the panic button. But the recent attacks on the federal government and private industry elevates beyond anything many of us in this industry have ever seen. To get a glimpse of how serious these attacks are, how vulnerable we still are, and how it was done, we have to break down a few specific facts.
As details continue to emerge/leak, it is still unclear how far reaching this attack was/is. In simple terms, it was bad. Really bad. According to Tomas Bossert, in his New York Times Op-Ed, “the magnitude of the hack is hard to overstate.” Tomas Bossert was a US Homeland Security Advisor to President Trump. The number of organizations effected is estimated to be between 425 of the Fortune 500 or up to 18,000 companies.
The basic premise of the attack is that a singular company, SolarWinds, experienced a reasonably normal security incident. A security incident is some security event that causes broader consequences. Depending on the reporting, the incident centered around credentials (a username and password) landing on a code repository called GitHub. This is a relatively common event, and modern-day security tools are capable of detecting these events. The credentials were used to upload a malicious update to the SolarWinds update server. This update was then automatically propagated to customers, which is typical operational best practice. Typically, an update server’s credentials would be heavily fortified, but in this case, the credentials were “solarwinds123”. From a security standpoint, this would seem to indicate a less than ideal security culture within SolarWinds, but we can’t judge the book by its cover.
Although the fall out of the Solar Winds hack is still ongoing, the long-term consequences of this hack will be felt for many years to come. The simplicity of the attack on SolarWinds illustrates a few things:
1) Process based security is exceedingly bad at protecting organizations, but it is the best method we have.
2) Cybercriminals do not care about your compliance or policy.
3) You can have a robust security program and still be hacked. (FireEye)
We all suck at security
One of the biggest challenges with information security is, from a technical standpoint, you have to have a way to secure your infrastructure with hundreds of thousands of devices under management. In order to manage all of the devices on your network there has to be a way to manage all of devices. Otherwise, you’d need a literal army of people clicking buttons on every endpoint, which isn’t practical or secure. Through a combination of tooling and processes, organizations implement security programs based on frameworks that are designed to standardize the security implementation within their organization.
As of 2016, just a little under five years ago most, most enterprises were just in the beginnings of adopting a broader information security program. Cybersecurity programs are exceedingly difficult to implement and take a long time as they touch all areas of the organization. For large organizations challenges to implement a strong information security program exponentially increase.
How To Build a Cybersecurity Program - Cybersecurity Strategy and GRC
Learn how to build a cybersecurity program from the cybersecurity strategy down to tactical technical security…
Ultimately, with process-based security, cost is pilot on a crashing plane. As organizations continue down the path of securing their organization, security funds are allocated elsewhere. Ultimately, this behavior leads to the inevitable crash. The reality is that most security professionals uniquely understand these challenges and understand that most organizations could be hacked if someone really wanted to, and the reality is that people want to.
The plain reality is simple: we suck at security.
We All Suck At Security
From the enterprise to a small business. From a local municipality to the United States as a nation, our cybersecurity practices are exceedingly bad. The problems with our security posture are well documented:
The report’s findings indicate that 71 of 96 agencies (74%) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.” (The report defines the term “high risk” as “Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently”; the term “at risk” applies to agencies where “Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.” — Federal Cybersecurity Risk Determination Report and Action Plan
The Lack of US Federal Regulation
As of 2021, there are only a few industries that have specific security regulations that must be followed. Cybersecurity is exceedingly challenging to implement. Cybersecurity is unreasonably expensive, the talent doesn’t exist, and most of our policy makers writing our laws have little to no understanding what a bit or a byte is. As of this writing 38 states are considering some sort of security legislation, but the vast majority of those states are considering privacy focused legislation. This approach fragments the information security guidance that organizations must follow, which prioritizes compliance over security. It is time for the Federal Government to step up and implement a baseline standard for information security implementation that scales with organizational size and risk. Otherwise, there will never be sufficient consequences to convince business leaders to act on strong security.
Trust but Kind of Verify
Although a cybersecurity law at the national level would help standardize security implementation across organizations big and small, events like the SolarWinds breach will continue to happen. Information security, no matter how much money or time you put into it, isn’t perfect. Until then, we must refer to the old adage “Trust, but Verify”. This is typically said at the leadership level, in relation to making assumptions. From an information security standpoint, too often the policy is trust but kind of verify. The problem is: it is just too difficult to fully validate one’s security practices. The SolarWinds breach was a supply chain breach. Security for thousands of companies was placed in the hands of a third party, which was ultimately breached. Who is responsible for this? Is it SolarWinds? Or is it the management processes and validation of vendor security?
The SolarWinds Breach Is A Wakeup Call To Anyone Using Cloud
With the majority of organizations shifting their computing to the cloud, the security of major cloud vendors will become more important than ever. As evidenced by the Office 365 component of this breach, the notion that the cloud is more secure is fading. Organizations must begin to choose, for the first time, to vertically integrate their information technology one again. The long term consequences of supply chain security may force organizations to transition their assets to a private cloud model.
Keep on Checking the Box
Ultimately, information security professionals will continuously implement security up to the point of the limitations of their resources. For many organizations, that is simply their goal. It is one thing to say that you do information security. It is an entirely different level of cost and dedication to implement security with excellence, something my company The Penn Group values. Most organizations simply opt to checking the box, which results in breaches becoming more severe and more common. The tension between checking the box and defending the organization will continue to pull, and in 2021, we may see that pull begin to twist its way into collateral damage into other organizations, as we’ve seen with the SolarWinds breech.