Compliance and Risk Management in the Spotlight: Lessons Learned from the SolarWinds Hack

Solarwinds security breach

We recently wrote an article discussing, briefly, a data breach for the security firm FireEye. At the time, FireEye claimed that the breach was the result of a foreign attack, a state-sponsored cyberattack, an event that has unfortunately become the norm in 2020. As we, along with the rest of the country, have learned the FireEye breach was connected to the massive SolarWinds hack, one that many are calling one of the largest security breaches in U.S. history. 

Here, we’ll talk about some of the basics of the attack, including how it happened and its impact. The lessons we can learn from the SolarWinds hack can emphasize just how important risk management is for companies large and small across the U.S.

SolarWinds Hack Breach

What is the SolarWinds Hack?

In December, FireEye discovered a trojan attack in SolarWinds Orion business software updates. This attack was seen to distribute malware called SUNBURST, which allowed attackers to insert code into Orion updates so that they could take control of a victim’s network environment. 

This malware infection was unique in that it was tightly controlled, promoting stealth and minimal detectability. This meant that the attackers could have had access to systems across the country as early as March or April 2020. The Orio platform is a SaaS product purpose-built for infrastructure monitoring meant to “simplify IT administration for on-premise, hybrid, and SaaS environments.” This product is widely used not only in the private sector but in public and governmental uses as well. 

The fallout is significant. SolarWinds Inc. is one of the largest network, systems, and information technology infrastructure providers in the U.S., with an estimated 300,000 customers as of December 2020. As of this publication date, security experts are estimating that up to 18,000 SolarWinds customers could have been affected by the attack, and major tech companies and retailers like Microsoft, Cisco, Intel, and Nvidia have already admitted that their infrastructure has been exposed

The effects run much deeper, however. The overlap between private and public systems have exposed private business and public organizations alike. Of the potential infections, many were linked to electrical, oil, and gas infrastructures as well as telecoms, manufacturers, and government agencies. 


How Did the Attackers Access SolarWinds Systems?

Currently, the likely culprit is state-sponsored cyberterrorism. The Washington Post reports that a Russian group of hackers known as APT 29, or “Cozy Bear”, are responsible. This group is a known affiliate of the SVR, or Russian foreign intelligence services. 

The attackers used SUNBURST to infect updates of the Orion software, which was then downloaded to customers’ systems as part of their normal maintenance and upkeep. These infections, however, did not immediately begin to affect the systems they were infiltrating. Instead, according to FireEye reporting, the malware would wait roughly two weeks before signaling to the hackers that they could access the system. During that time, the malware would gather data like employee credentials and network logs to determine which systems to further infect and manipulate. 

FireEye reports that of the thousands of systems infected, they only have evidence of about 50 that were entered using the malware. However, this insight is limited because many industrial and manufacturing operations have little to no reporting, logging, and security measures in place to handle this kind of breach. 

FireEye does note, however, that the attack is not over, and should be considered an ongoing threat. Due to the use of stealth and cloud infrastructure, the attackers were able to hide their actions and the full extent of their infiltration is yet to be seen. 


The Impact of the SolarWinds Hack on Businesses

The SolarWinds hack has, perhaps most significantly, shown how interconnected many businesses are in the tech, retail, service, and infrastructure spaces are. With shared cloud resources and managed services, serious security breaches can have ripple effects across different and disparate systems and organizations. 

The full impact of the hack is still unknown, specifically because no one knows the full extent of the damage. However, several companies like Visa and Cisco are emerging to state that they are not seeing any widespread loss of data in their systems. 

As businesses continue to monitor the problem, it is likely we may see more severe fallout including:

  1. Identity and credit theft: if the hack resulted in customer databases being compromised in any way, then it could be the case that we will see a new wave of credit card fraud. Since state-sponsored cyberattacks target both private and public institutions to destabilize, then several waves of fraud could be in our future.
  2. A major overhaul of government cybersecurity: Federal agencies using SolarWinds products in any capacity are likely to beef up security measures in response. It is yet unknown if there will be corresponding updates to federal security regulations as part of that response.
  3. Potential outages or utility disruption: This is the most far-fetched item, but one that security experts fear for the most. Evidence from specialists shows that there are no known threats to the utility grid in the U.S. due to the hack. As our understanding of the hack evolves, however, this could change. 

The goal of infecting critical oil, gas, power, and water systems were to gain more knowledge of their workings and, if possible, disrupt them. While experts are telling us not to panic, this event is a signal of the future of cyberterrorism and how modern warfare and cybersecurity will look for the foreseeable future. 


What Can Businesses Do to Protect Against Attacks Like the SolarWinds Hack?

This is the million-dollar question and one that is not easily answered. Users of SolarWind Orion weren’t expecting their network management software to come with malware, and as such weren’t necessarily prepared for it. 

All this means is that and data-driven business in the U.S. right now needs to address some specific priorities about their data security:

  1. Compliance is a business strategy, not a requirement. Yes, you need compliance in whatever regulations are called for in your respective industries. What this hack shows us is that compliance should be the foreground of our collective security preparation and not a checklist of “must-do” tasks.Pay attention to the kinds of requirements that your industry’s regulations call for and, if possible, exceed them. That means encryption, reporting, logging, and authentication should all be field-leading technologies.
  2. Audit, audit, audit. Likewise, auditing for compliance should be an exercise in defense, not a box to check. Work with professionals that know your industry and regulations and who understand the ins and outs of security in that industry.Furthermore, don’t take for granted that you can not understand those regulatory requirements anymore. Form real partnerships with third-party auditors and consultants in cybersecurity and learn what it means to stay as secure as possible.
  3. Prioritize data transparency and access. One of the major issues that many security experts, including FireEye, have pointed out is that many of the businesses affected didn’t have transparent data practices in place to trace file access and the bigger picture of the situation. This point also includes extensive reporting above and beyond any compliance requirements you may have.Your compliance and security measures should also include the capabilities to develop action plans based on real intelligence, and that can only come from having a complete picture of your data.
  4. Manage risk. Always know what kind of risk you can tolerate as an organization. In light of these attacks, those requirements might have changed. You can’t know what you need and don’t need, and the kind of risk you’re willing to take, without the right insights in place to make the best decisions.
  5. Vet your vendors. Anything that you expect from your organization, expect from any cloud, security, or software vendors. This includes additional compliance that might not necessarily be required by your industry–for example, extensive SOC compliance. 


Work with the Experts at Lazarus Alliance

Don’t let security problems announce themselves to you in the newspapers. Stay ahead of threats with tight security, compliance, and risk management. 

Learn more about how you can pursue the best security, reporting, logging, and risk management practices suited to your business. Call us at 1-888-896-7580 or through the form below. And tap into your Cybervisor Services to work with some of the top security experts in the industry.

Lazarus Alliance