3rd Party Vendors Add Hard to Calculate Information Security Risks
The last quarter of information security news has been dominated by the Solarwinds breaches. In this briefing, we will review what happened, what this means for the information security solutions in general and how companies can allocate resources to effectively combat threats.
To recap, Solarwinds is a major information security vendor. They sell software used to manage security relevant systems and processes and are being used by many large organizations in the private and public sectors. In late 2020 it was revealed that Solarwinds themselves had been breached. Attackers then abused their new-found access to attack many of Solarwinds’ customers from the inside.
This week we are receiving new reports indicating that a different group of state sponsored highly advanced hackers (“APTs”) had broken a different aspect of Solarwinds at the same time. The trouble and fallout seems to be far from over.
The striking element of this story is that Solarwinds was not breached because of some highly advanced cyberattack but because someone in the organization had set the password of a highly critical system to “solarwinds123”. In short, an information security vendor made the very mistake that any and every awareness training will warn you against making. Thousands of companies were breached not because of a technical error but due to simple human laziness.
There are two takeaways here:
What is shocking to many outside of the information security sphere but obvious to everyone inside of it is that this pattern is very common. For every highly advanced breach abusing some technical exploit, there are plenty of breaches caused by human error and laziness.
Every piece of 3rd party software or infrastructure that your company integrates with adds new risk of its own. Sure, something like Solarwinds may protect you from certain threats, but it adds risks of its own. And it’s hard for outsiders to tell when the cure is worse than the disease.
While the exact measures that should be taken have to be left to the experts in your organization, there is one thing that is highly effective while introducing absolutely no additional risk: Better training your staff.
The entire Solarwinds fiasco could have been avoided if one specific employee had taken password security more seriously. The same can - and will - happen in your organization. Instead of paying for flashy solutions from vendors with slick sales people that promise the moon, investing into the fundamental security awareness of your employees is almost always the more solid expenditure.