What was the SolarWinds Hack?
As we shared previously, a significant IT security incident was discovered in December and is still ongoing. SolarWinds, a software and services company, had malicious code injected into their Orion monitoring tools and then distributed it to their customers. This software has administrative access to the domains it monitors, so hackers have expanded access to the network and servers. The attack was open for about nine months.
In two previous posts, we explained what it is and the steps to mitigate the risks. We also shared some long-term considerations for your technology team and what skills will help you combat these attacks.
In this article, we turn our attention to good policies to implement which reduce risks and improve security in general.
The SolarWinds Hack was Supply Chain Attack
The SolarWinds attack is a “Supply Chain Attack” because it was malicious code injected into the installer for a tool many companies use. Because of this approach, you must create policies for assessing technology options and ongoing management to mitigate the risk.
With these threats, we wanted to share some thoughts about the STRUCTURE of your IT function to improve its security.
We will do that by considering, in three posts, the following structural elements.
- The team, including outside resources
- Some crucial processes (this post)
- A quick run-down of tools you should have (coming soon)
Have a Great Process – Evaluate Up Front, and Report
Once you have the right people, they need to work together and with the business effectively, which is the process. Multiple items should be part of your standard process. We only deal with the key strategies that help you reduce the risk of SolarWinds type of attack in the supply chain, but their value is more significant than just that. Here are four we will consider.
- Accountability
- Reporting
- Evaluate Vendors / Partners
- Patching and Updates
1. Accountability
The first thing you must do is define who is accountable for these processes and overall security. The National Institute of Standards and Technology (NIST) Cybersecurity Framework states this:
Individuals with cybersecurity-related privacy responsibilities report to appropriate management and are appropriately trained.
We recommend an accountability chart with all the various functions of IT, including the remaining processes below. Each accountability includes a brief list of required outcomes and the person who is accountable for them. We provide a sample to the right.
Many organizations have a great process, but if nobody is doing them, there is no success. We recommend this and include it in our IT strategy work as part of the Virtual CIO services we offer, using a process and a long history of successful assessments and reengineering.
When combined with the reporting below, you can verify accountable individuals are executing the process.
2. Reporting
Establish reporting to ensure accountability. Consider everything that is a core process that directly maintains the security of the organization. You do not have to implement every possible safeguard; security is one of many concerns to leadership, but some doors have to remain open for everyday work. Just be deliberate about each one and what that means to risk. The National Institute of Standards and Technology (NIST) 800-35 publication states this:
Use metrics throughout the IT security life cycle. Metrics will provide the objective data to evaluate the baseline level of service in the assessment phase and assess service provider performance in the operations phase. Wherever possible, metrics should be selected to indicate progress toward the achievement or maintenance of a security condition that meets an underlying organizational need.
Note the number of core processes is not the same as the number of accountabilities. For example, Disaster Recover may be an accountability box. It may have more than one core process with a report verifying success and a person accountable for that process and results. Here are some to consider:
- Resolve all Internal Tickets generated by a Remote Monitoring and Management (RMM) system.
- Resolve all tickets from outside sources (e.g., a security SOC provider)
- Weekly review version and patch levels against known vulnerabilities and latest versions from vendors
- Categorize failed logins
- Verify successful authentication from foreign countries
- Review logs of file changes (one of the techniques used was to replace a legitimate file with one temporarily which had a malicious payload, and after it had done its job, putting the original back.)
- Review scheduled tasks – the attackers used some scheduled jobs, which were created and then later deleted.
- Resolution of critical gaps found in security assessments
Some of these may be a pass/fail, where the person reviewing completed it. Others may have a threshold, such as “# of failed logins > 3.”
Review these measurements and reports often. The evaluation and approach to cybersecurity is an evolving field and done with discipline.
Reporting should be both informative and exception-based. These items are essential, so we do not recommend only reporting exceptions; that tends to stop or be misdirected at some point, eliminating the accountability to someone else. But report results and highlight the anomalies for quick review. Most reporting in IT is part of the normal process. The tools collect the info; you just need a regular reporting mechanism and a person or team that reviews it for any exceptions.
3. Evaluate Vendors / Partners
Remember, the SolarWinds incident was a supply chain breach; the tools they provided to customers were hacked. The impact is you must evaluate all components of your IT, which may and probably will include the following:
- Vendors who process information – These are outsourced services you send data to for further processing or validation. A good example is a customer list sent to a mail fulfillment processing house. If they are compromised, so are you, and when you inform your customers of the breach, they will always associate it with you.
- Vendors who manage your systems (MSP, SD-WAN, etc.) – Most organizations outsource some functions to third parties, for offsite backups and disaster recovery, managing the network, or perhaps the entire environment (Managed Service Provider, or MSP). In all these cases, their tools, policies, and personnel are a potential point of attack. Take, for example, using an offsite disaster recovery service, where you nightly send all your data. If just one of their engineers’ credentials is compromised, the agent may have access to your information, which could be disastrous for your organization and reputation.
- The software you bring into the business – this is not just SolarWinds type tools. It could be an ERP application, monitoring software, an email client; anything that a user can open and run while connected to the network must be evaluated for security considerations.
- Devices – These are hardware devices, which have quickly become one of the easiest targets for malicious attacks. The Internet of Things (IoT) has exploded the number of accessible components on your network. Hackers look for security cameras, printers, phones, and factory sensors to exploit. All of these have occasional firmware updates to improve security, so any could be compromised.
You should also evaluate all contracts with vendors to understand and define reporting requirements, risk allocation, and liability limits if an incident happens.
There is a process required for this and is outside the scope of this article. A great start to understanding the process is available from Info~Tech Research Group. I recommend you review it.
4. Patching and Updates
It seems obvious, but many organizations do not do an adequate job of patching and updating systems. The aspect of supply chain attacks goes directly to this, but admittedly SolarWinds was not aware of the vulnerability for months, and no patch was available. It makes it even more critical to patch systems because the exposure is known.
Patches are the smaller releases that correct a known vulnerability. Install patches reasonably quickly. The day of waiting a couple of weeks to see what broke for others is not something you can do now.
The best practice for patching is to use tools tied to the vendors’ distribution channel and your systems so that as soon as a patch is released, the software installs it in the next maintenance window, without human intervention required (but you can review anytime). We will cover tools for this in the following article in the series.
Summary of the SolarWinds Hack – Four Processes to Reduce Risk
In this article, we shared some processes you should be considering, especially as it relates to the supply chain attack types. In the next article, we will review the tools that can be helpful in this. As always, feel free to reach out and discuss your organizational IT strategy as it relates to security and effective alignment.
As always, contact us for help with enterprise or executive-level technology use. And follow on Twitter stay up to date.