Like many attacks these days, it appears that the attackers first came into the network via remote access and a VPN vulnerability. The attackers inserted the malicious software into SolarWinds products which in turn was delivered to over 18,000 customers worldwide.
When early attacks were noted, impacted firms asked whether other attacks had been seen in the wild by other customers, and the CISO communicated that he had not seen examples. He then went on to admit privately that he had lied to the customer. When an 8-K statement was finally filed acknowledging the security issue, the SEC indicated that “it was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period.”
Public claims on a website need to reflect internal procedures
When you make security statements on a website, whether you are bound by SEC regulations or a small company assuring your client base, make sure the claims you make in public match up with what you are doing in the company. SolarWinds claimed that it followed “moderate level framework NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53).”
In reality, in January of 2021 an internal assessment was made, and it found that 60% of the controls were completely unmet. When your primary product is security, then you can’t skimp on cybersecurity disclosures. Cybersecurity risks and practices are important for nearly any firm, but to a firm like this, which provides cybersecurity, this is a key to the business itself. Especially for a firm that develops security software, ensuring that it’s checked for vulnerabilities and web application testing should be mandatory.
Passwords and password handling are key concerns for any business, but a security firm should pay closer attention. It’s vital that if you have a stated policy you follow that policy. If your internal needs and practices are such that a mandated password change and complexity is not attainable, then you need to change your processes to work with the needs without decreasing your security posture.
These days the mandate of changing passwords is beginning to be put aside as a best practice and instead looking for ways to increase your security with the use of alternative authentication methodologies such as authentication applications and other two-factor authentication technologies. Vendors should code their applications to encourage such better practices of software handling as well as encourage the use internally.