Intrusion Detection Systems Simply Won’t Cut It Going Forward
SolarWinds is regarded as the widest-reaching cyber espionage operation against the United States government to date. Dan Verton discusses what we know so far and actions other businesses and organizations should consider in an effort to mitigate the effects of future attacks.
Nearly four months after the disclosure of the SolarWinds attack, we are continuing to learn more about the nature of the incident. Corporate leaders have testified at government hearings as lawmakers try to understand the full breadth and impact of the attack, as well as what cybersecurity shortfalls may have contributed to the situation. The hack is already considered the most substantial and widest-reaching cyber espionage operation against the United States government to date. As such, it’s worth taking a closer look to understand key takeaways to prevent a similar attack of this scale in the future.
First, SolarWinds demonstrated how critical it is for companies and organizations to have a full understanding of their supply chains and the potential vulnerabilities at each step of the process. In today’s security landscape, it is no longer enough to only have insight into your own organization’s cybersecurity posture. Of concern, a recent survey by Gartner found that in the past five years, nearly 90 percent of companies had experienced a supplier risk event but did not have enough awareness across the company or the level of maturity needed to mitigate the risk.
Editor’s note: As of publication, details of the SolarWinds breach are still coming to light. Beginning possibly as early as the spring of 2020, hackers believed to be connected to the Russian government gained access to IT management software known as Orion, developed by SolarWinds. This software is used by a range of companies and organizations around the world. Through the breach, hackers hid backdoor access capabilities inside Orion software updates. They were able to view a huge body of sensitive information at numerous government agencies and global corporations as a result. The breach was first detected by the cybersecurity firm FireEye last December. While it is known that hackers accessed information, their full motives and actions have yet to be determined.
SolarWinds Unveiled the True Scope of Supply Chain Vulnerabilities
Another key problem with supply chains is a lack of oversight. Robert Bigman, the former chief information security officer (CISO) at the Central Intelligence Agency, flagged on a recent podcast that there are currently no rules and regulations surrounding secure supply chains.
“When you go and buy a car, you have a thing called a Lemon Law. If something goes wrong, you can turn it in and get it adjusted and get a change, or even get a new car. We don’t have that type of law for cyber,” Bigman said. “We have no rules, no regulations for companies to build secure supply chains. We have no rules and regulations that require them to build secure code. It’s a free-for-all. And you’re really potentially the victim of companies who don’t act responsibly. And I’ll be honest with you, I think it’s the majority of them.”
This puts the onus on companies and organizations themselves to be proactive about protecting and managing their supply chains. To this end, security leaders at all entities need to be aware of security processes and protocols across their entire supply chain. It only takes one weak password or link in the chain to compromise all parties. This was evidenced by “solarwinds123,” a password that was leaked on the public internet that played a part in the cyberattack. Vendors or partners in your company’s supply chain could end up being an entrance into the dozens of other entities within their networks, regardless of the strength of your own organization’s cyber posture.
The Value of Risk-Based Cybersecurity
Importantly, when looking at the SolarWinds incident at a higher level, the attack showed…
Pinterest faces EU privacy complaint over tracking ads
When it comes to privacy nightmares, Pinterest is unlikely to be the first social app that…