SolarWinds, Orion, and Sunburst: Celestial Names Touched by an Earthbound Problem

Hundreds of articles have already been written about the recent sophisticated campaign to penetrate government agencies and enterprises using a doctored software update to SolarWinds Orion, SolarWinds’ network management product. Up to 18,000 SolarWinds customers may have been affected. It’s likely that the cybersecurity community will learn more in the coming weeks, but what we know now points to a classic supply chain security problem.

Security practitioners have known about the risks associated with vendors and business partners for quite some time. The 2013 breach of retailer Target resulted in the theft of over 100 million customers’ personal data and an US$18.5 million multistate settlement. The breach was tracked back to a successful phishing attack against a Target vendor responsible for heating, ventilation, and air conditioning. In the wake of that high-visibility breach, organizations of all sizes acknowledged the risks associated with partners and made investments in processes and tools to assess, monitor, and manage vendor and supply chain risk. It seems that in the fast-paced cybersecurity world, the 2013 Target lesson may have been overtaken by events or completely forgotten.

Some interesting information about SolarWinds’ internal security practices has come to light, and it should serve as a cautionary tale about how organizations should factor vendor risk into their cybersecurity strategies. If these reports are verified, they point to a lapse in cybersecurity common sense and to gaps in supplier risk management at some of our largest government and commercial enterprises.

  • In 2017, former SolarWinds employee Ian Thornton-Trump warned SolarWinds’ management of cybersecurity risks within the company and provided recommendations for improvement. At that time, SolarWinds did not have a chief information security officer or a designated product security leader. Thornton-Trump’s 23-page PowerPoint presentation supported his assessment that a major breach was inevitable. He departed SolarWinds on May 15, 2017, and cited management’s unwillingness to correct security gaps noted in the report. Thornton-Trump’s frustrations were reportedly known by several of SolarWinds’ 60 or so designated most valuable players (MVPs) in the company’s user community.
  • On November 11, 2019, security researcher Vinoth Kumar reported to SolarWinds that he found a publicly accessible SolarWinds GitHub repository containing FTP credentials. The password was reportedly “solarwinds123.” SolarWinds made changes on November 22, but this responsible disclosure spoke volumes about password management associated with a product installed at so many important organizations.
  • As recently as September 11, 2020, a SolarWinds customer support advisory recommended that anti-virus scanning should be disabled for Orion product folders to allow the product to run more efficiently. While other vendors have made similar recommendations, SolarWinds’ proposal to exclude whole folders, including subdirectories, should have at a minimum triggered additional reviews and risk considerations by customers.

Security practices at SolarWinds did not seem to impact decisions by government agencies and enterprises to greenlight purchases of Orion. Approvals came from the Defense Information Systems Agency (DISA), federal law enforcement agencies, municipal governments, and Fortune 500 companies. Cybersecurity professionals must now wonder how many other software vendors conducting business with their organizations are failing to follow reasonable security practices, including password management, secure code reviews, and the appointment of a security-knowledgeable manager, as well as advising their customers to bypass security controls.

Now is the time to revisit vendor and supply chain security and start asking critical vendors what they are doing about cybersecurity. To be clear, robust due diligence for SolarWinds may not have prevented the recent sophisticated nation-state campaign, but to state the obvious, an organization is only as secure as its weakest business partner. Asking the right questions and verifying the responses from vendors will turn up the heat and keep decision-makers from again forgetting how important partners are to their security programs. Now that the SolarWinds method of breach is widely known, cybercriminals are sure to try to emulate this strategy.

How can we help?

If you have a question specific to your industry, talk with an Aite Group analyst.  Call us today to learn about the benefits of becoming a client.

Talk to an Analyst

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within
practices.

Get Email Updates