The SolarWinds Hack and Your Team

What was the SolarWinds Hack?

As we shared previously, a significant IT security incident was discovered in the last few weeks and is still ongoing.  SolarWinds, a software and services company, had malicious code injected into their Orion monitoring tools and distributed to clients.  This software has administrative access to the domains it monitors, so hackers have expanded access to the network and servers.  FireEye discovered the attack on December 13, 2020, after it had been open for almost nine months.  You should consider the SolarWinds hack and your team – are you staffed to reduce risks?

In that last article, we explained what it is, how it hides so well, and if you have it installed, some steps to take to mitigate the risks. 

In this article, we turn our attention to what you should do for your long-term security and what types of skills you need on your team. 

The SolarWinds Hack was Supply Chain Attack

The SolarWinds attack is a “Supply Chain Attack” because the actors injected malicious code into the installer for a tool many companies use.  Most episodes originate with malware via email or a user’s web browser, which only compromises one organization when successful. By placing the malicious code into the software supplier’s installation package, the hackers gained access to a wide berth of networks and proprietary information. 

In the case of the SolarWinds hack, the actors had access to at least 18,000 networks of organizations from the Fortune 500, US Government, and many other segments, and it is likely twice that amount.

In other words, it is not just about your network or users or IT personnel.  It may be related to systems or vendors and teams upstream from you; this creates a new threat and one you must plan. You will need people with industry skills and awareness, not just people who know your systems. 

What if you don’t have SolarWinds? 

Well, wipe your brow and say “whew!” with conviction.  Then, consider that SolarWinds is one of the better IT services and software companies operating, and your current vendors could be more insecure. 

Nobody develops their software for all of the functions needed for technology.  The days of writing your own ERP software are deep in the rear-view mirror.  And forget about writing your own IT management software, like what SolarWinds Orion provides.  But when you bring in a vendor, you bring in all of their strengths and weaknesses. 

With these threats, we wanted to share some thoughts about the STRUCTURE of your IT function to improve its security. We will do that by considering, in three posts, the following structural elements.

• The team, including outside resources (this post)
• Some critical processes (coming soon)
• A quick run-down of tools you should have (coming soon) 

The Solarwinds Hack and Your Team

One thing I learned in managing IT is the tools are only a small part of the equation.  They monitor conditions, may detect and stop malicious activities, and report what they see.  But you need competent, engaged humans watching.  Part of the people’s makeup is training, but the other part is a mindset that there are dangerous actors who want to get into your environment.  It is like the mindset of a good crime detective who tends to question everybody and everything.  

Your team needs some of these people.  I know one very well.  He watches for everything that could affect him and those he is protecting. I was interested in his purchase of a new TV recently: he purchased one based on Android and immediately started disabling most of its services.  He had them all shut down in quick order except for ads being served, indicating continued access from outside. He then started configuring the network and internet connection to block the source of these.  The point is that most of us look at these as potentially convenient services and do not give thought to what we install or leave available.  With his “security mindset,” he views them all as potentially open doors that a hacker can open.  It is not unlike a house with ten doors/locks that is more susceptible to being left open accidentally than one with three doors.  

Your entire team cannot be this way, but you need at least one (they may be a contracted external resource).  If your whole team had this mindset, they would spend all day locking every available opening, and you would spend all day explaining to users why they cannot do basic tasks that are now disabled.   You must have a balance of personalities and accept a certain level of risk. 

You also need a variety of skills – security affects everything, and you have varying technologies. Each of these technologies is an opening on the network and susceptible to breach; understanding and locking down security on email services is not the same as a firewall, which is not the same as a file server, and so on. The people accountable for the security need to be well-versed in the configurations and changes for the business’s safety and efficiency.  

Use outside resources to supplement your internal team 

Having security-minded and trained individuals can be expensive; an engineer certified in information security costs significantly more than one without.  As explained above, you do not need them in every role, and unless you are an extensive organization, you will not need them full time. Three skills make sense to consider:

• A Virtual Chief Information Security Officer (CISO) – This is a senior level person focused on setting policies, evaluating the environment for any risks, reviewing the team, vendors, and technologies for security flaws, and working with the business to reduce risk while understanding the impact on effectiveness. They can also oversee significant regulatory demands like PCI Compliance or National Institute of Standards and Technology (NIST) requirements you must meet to transact business. CISOs are hard to find and are not needed in a full-time role, so a virtual CISO will help your organization. 
• Security Certified Senior System Engineers / Solutions Architects for design and assessments – this is a senior-level engineer who is hip-deep in technology and is needed part-time and provides an outside view.  They will consider design, review configuration changes, and do periodic inspections of the systems for security holes. Because new threats are always happening, your systems need continual evaluation by a person with a security mindset and skills. 
• Managed WAN Provider – Beyond user actions, one of your environment’s most vulnerable components are external connections.  Inside your organization’s facilities is called the Local Area Network (LAN). It generally requires some physical access or proximity to gain entry, like from the parking lot to a wireless access point. The buildings’ perimeter connects to the Wide Area Network (WAN), accessible by anybody with an internet connection.  This last piece is important because the WAN is where your users and internal systems meet the internet, so the WAN devices, like a firewall, are the protection from unauthorized access.  As such, you must secure these components, and a dedicated provider may be more capable of this.  But beware, this may reduce your control of the connections due to their standards and your agreement with them. 

Additional Outside Services to Consider

Consider other information security services.  These are not appropriate for internal functions because the intention is to assess the situation with fresh eyes. We recommend you consider three services.

• A Security Information and Event Management (SIEM) Service – This is called the blue team in security circles because it aims to watch all events in your network and servers for malicious activity.  They will install a device on your network, which collects information like network traffic, file access, failed logins, and more.  This data is then analyzed for any unusual activity, based on rules, and creates alerts a human reviews.  For example, if there were repeated failed login attempts on an account, a successful login from a foreign country may indicate a brute force login attack and unauthorized access.  A threat analyst would review these, verify the problem, and forward that to your IT team with suggested actions to resolve. 
• Regular Penetration and Vulnerability tests – These are periodic tests of your network for any vulnerable points subject to penetration by an outside agent. They simulate how a hacker may gain entrance by jiggling all the doors.  I initiated this for a client a few years ago and was surprised when the report came back with INTERNAL network devices – they had tricked a user into giving them credentials through a known vulnerability and had complete access to the network! I highly recommend this from the right provider.  Contact us for help setting this up!
• User Phishing Tests and Education – This a service, using options like KnowBe4 or Proofpoint, that periodically (e.g., quarterly) run a simulated phishing attack on your users to see who clicks the bait.  They also offer a service that trains and assesses your users for potential issues, like not knowing a legitimate link from one that will compromise your systems. 

We recommend these services to improve the security of your organization.

Summary of the Solar Winds Hack and your team – Long Term Team Changes

Because the Solar Winds hack was so large and so damaging, it highlights some corporate IT departments’ weaknesses.  The first place to look is your team and review needs for these supply chain attacks.  You may and likely have a GREAT team, but these new hacks show where they may need some help.  We have provided some insights on the skills required and recommended outside services.   

Contact us to discuss your team.  We can assess your environment, the team, and the business needs to ensure alignment (sample), and all are working for top performance and ROI.