SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies, officials directly familiar with the matter said.
Shaylyn Hynes, a DOE spokesperson, said that an ongoing investigation into the hack has found that the perpetrators did not get into critical defense systems.
~ Politico, 12/17/2020
We dodged a bullet. This time.
There’s no time for I-told-you-so’s. And the coulda-shoulda-woulda’s are worthless now, because it’s too late. Once a breach occurs, there’s no un-occuring it. We can’t un-happen what happened; or un-breach the breach. And the full extent of the damage may not be known for weeks.
The potential consequences of the security breach include death and destruction on a planetary scale. And no, we’re not being histrionic or hysterical. Of course, it’s important to keep calm and think through the list of what’s next’s, but there’s no way to over-dramatize what has happened. There’s never a bad time to look for – and learn – the lessons buried in the aftermath of a cyberattack, especially one of this magnitude and consequence. Here are ___ of those lessons.
Lesson 1: By the time malicious activity is discovered, it’s too late.
Prevention is better than cure. ⧫ Better safe than sorry. ⧫ You can’t be too careful.
We hear these old sayings a lot. So much so that the wisdom gets lost. But when something disastrous happens – like the hacking of the DOE’s systems – the truth of these proverbs becomes unignorable.
Think of Application Security as a vegetable garden. The astute gardener is constantly on the lookout for harmful bugs, fungi, diseases, and weeds. And waiting for them to show up isn’t enough. The survival of the garden means being proactively vigilant. Part of being vigilant also includes access to the garden. A person can unknowingly bring in an infection, or the eggs of a harmful insect. Innocent ignorance could lead to unskilled handling of the garden, opening it to danger and harm.
The breach at SolarWinds and the DOE was discovered in December of 2020. SolarWInds, the supplier of the applications that were affected, has now stated that the malware was on the software from March to June of 2020. As many as 18,000 organizations could be affected. That number includes most federal government unclassified networks and more than 425 Fortune 500 companies. The fact that the bad actors have had 6 – 10 months of access to highly sensitive material should make our blood run cold. And yet, that time period is not atypical. On the average it takes 197 days to discover a break in security, and 69 days to contain it.
Lesson 2: Think Like a Hacker.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
~ Sun Tzu, circa 5th Century B.C.E.
Wanna beat the bad guys? Think like them. Actively engage in dialogs that include questions like:
- What makes your application(s) attractive as a target, and to whom?
- What can a hacker gain from hacking your app, or what your app is connected to?
- How have bad actors operated in the past?
- What malicious activity is now in common use?
- What malicious activities are less commonly used, but could surprise you (and turn out to be surprisingly effective)?
Educate yourself and your team(s) on what is ‘out there’ and create the understanding that cyber attacks are real, and cybersecurity is crucial.
It’s also vital to be brutally honest about the strengths and weaknesses of the applications, both the ones in development and the ones that have been released. It’s easier to fix a leak in a pipe when you know where it is, or where the weak spot exists. Pretending there’s no problem or weakness could lead to devastation.
Identifying key risks, preventing them and establishing a security process that manages risk in an integrated manner can make your organization less vulnerable to these threats.
Lesson 3: Prioritizing Application Security is not a Cliché.
It’s simply the smart shing to do. And there is no such thing as ‘too secure’. Consider the cyber attack that hit the DOE and SolarWind. We’re talking about nuclear weapons and nuclear materials. The potential cost to human life is incalculable. In fact, it is unthinkable. How do you put a dollar figure on the damage to the inhabitants of Spaceship Earth?
That said, in simpler, more human terms, data breaches are horrendously expensive:
- The average data breach costs a company $3.86 million.
- The longer it takes to contain a data breach, the more expensive it gets.
- Companies that contain a breach within 30 days save approximately $1 million in costs.
- It costs an average of $740,000 to inform customers about the hack.
- Companies could face additional fines if the breach is not disclosed within a certain amount of time.
- Lawsuits and other legal actions further exacerbate the costs.
And we haven’t even begun to talk about the costs that cannot be quantified, two of which are the loss of trust and confidence, both from customers and employees; and the time it takes to recover from a breach. In many cases, customers are unwilling to do business with a company that has suffered a data breach, especially if financial or personal information has been hacked.
A 100% guarantee against application security breaches does not exist.
And it’s not fair. But taking steps to prevent a breach is better than no action at all. In a word: training.
- Train application developers and teams to build security into the apps.
- Train developers to test the security of their apps before release. Then test again.
- Locate potential danger zones and weaknesses in the software’s defenses. Plug them. Then test again.
There are no easy answers. But application security training is an effective first step towards a safer, more secure world.
Connect with us to find out more…