The Solarwinds breach is a classic case that shows how hard it can be to evaluate information security risks. There are many external and internal factors that can come into play. What you don’t see might hurt you the most.
First Published 12th February 2021
"And the award for the Most Predictable Password goes to...."
4 min read | Reflare Research Team
The last quarter of information security news has been dominated by the Solarwinds breaches. In this briefing, we will review what happened, what this means for information security solutions in general and how companies can allocate resources to effectively combat threats.
To recap, Solarwinds is a major information security vendor. They sell software used to manage security-relevant systems and processes and are being used by many large organizations in the private and public sectors. In late 2020 it was revealed that Solarwinds themselves had been breached. Attackers then abused their newfound access to attack many of Solarwinds’ customers from the inside.
This week we are receiving new reports indicating that a different group of state-sponsored highly advanced hackers (“APTs”) had broken a different aspect of Solarwinds at the same time. The trouble and fallout seem to be far from over.
The striking element of this story is that Solarwinds was not breached because of some highly advanced cyberattack but because someone in the organization had set the password of a highly critical system to “solarwinds123”. In short, an information security vendor made the very mistake that any and every awareness training will warn you against making. Thousands of companies were breached not because of a technical error but due to simple human laziness.
There are two takeaways here:
-
What is shocking to many outside of the information security sphere but obvious to everyone inside of it is that this pattern is very common. For every highly advanced breach abusing some technical exploit, there are plenty of breaches caused by human error and laziness.
-
Every piece of 3rd party software or infrastructure that your company integrates with adds a new risk of its own. Sure, something like Solarwinds may protect you from certain threats, but it adds risks of its own. And it’s hard for outsiders to tell when the cure is worse than the disease.
While the exact measures that should be taken have to be left to the experts in your organization, there is one thing that is highly effective while introducing absolutely no additional risk: Better training your staff.
The entire Solarwinds fiasco could have been avoided if one specific employee had taken password security more seriously. The same can - and will - happen in your organization. Instead of paying for flashy solutions from vendors with slick salespeople that promise the moon, investing in the fundamental security awareness of your employees is almost always the more solid expenditure.