The recent SolarWinds hack highlights common problems with the way organizations approach cybersecurity and reinforces the importance of having a trustworthy cybersecurity partner.
In December 2020, the world woke up to the news that several U.S. government agencies — including the Homeland Security Department and State Department — were among some 18,000 customers of a software company called SolarWinds that were victims of a massive cybersecurity hack. This high-profile attack was likely orchestrated by Russian (and possibly Chinese) hackers.
We now know that the network management software was first compromised in early 2020. In the months between that initial compromise and the eventual discovery of the hack by third-party FireEye, the hackers embarked on what is believed to be the largest foreign intrusion campaign in American history. In light of these startling revelations, it’s natural to wonder how exactly this happened. How did one of the foremost software companies in the world fall victim to an attack of this magnitude? And how did the hack go unnoticed for so long?
To answer these questions, we have to take a closer look at the cybersecurity protocols SolarWinds had in place leading up to the hack — and the ways that our business culture encourages companies to sideline security in favor of other priorities.
Understanding what led to the SolarWinds hack is essential to preventing a similar event from occurring again. While it may still be a while before we understand everything that went wrong, a few things are immediately clear. First, SolarWinds seems to have underspent on security. They outsourced much of their software engineering to cheaper programmers overseas — even though that usually increases the risk of security vulnerabilities.
Second, SolarWinds had password security problems dating back to at least 2018. In fact, they had what seems like a surprisingly weak password on their update server for the very software that got hacked. Despite earlier warnings from security researcher Vinoth Kumar who demonstrated to the company how easy it would be for hackers to access the server, SolarWinds continued to use the password “solarwinds123” for this essential software for over a year according to some reports.
At a hearing before the House Oversight and Homeland Security Committees in late February, former SolarWinds CEO Kevin Thompson blamed an intern for the weak password and claimed it went against the company’s password policies. That doesn’t explain why the password stayed in place for so long, though, or why CNN and Reuters reports indicate that the company did nothing to change the password despite being made aware of its vulnerability.
Despite these clear missteps, the SolarWinds hack cannot be blamed on the company alone. As Bruce Schneier explained in a recent opinion piece titled “Why Was SolarWinds So Vulnerable to a Hack?” there are two main reasons why companies like SolarWinds make compromises in cybersecurity.
The first issue is information asymmetry. Because buyers rarely have the knowledge or ability to adequately judge the security of company practices or software products, many companies can get away with weaker security practices without raising concerns. The second issue is the modern market economy, which encourages companies to make choices that are in their best interests even if they are not in the best interests of their clients or broader society.
The result of these two factors is that companies may choose to save money by taking on greater risk — risk that is then passed off to customers. As Schneier says, “There is no good reason to underspend on security other than to save money — especially when your clients include government agencies around the world and when the technology experts that you pay to advise you are telling you to do more.”
At a time when hackers are constantly on the offensive, whether they’re simply trying to get money or actively trying to impact political systems, underspending on cybersecurity can be a dangerous mistake. With so many different factors at play, it’s more important than ever to have a trustworthy cybersecurity partner who can evaluate your existing level of security and suggest products and measures you can trust.
When you partner with Turn-Key Technologies, Inc. (TTI), you’re getting the benefit of a seasoned networking and cybersecurity expert with nearly 30 years of industry experience. No one can stop bad actors from trying to take advantage of innocent victims, but we can help you keep them out.
At TTI, we appreciate that your security is an incredibly valuable asset. Contact us today to learn how we can help you stay cybersecure.
March 9, 2021
Please, rotate your device