Monday, December 21, 2020

What Our Profession can Learn from the Recent SolarWinds Hack


In the previous few days, I'm sure you've heard something about a hack involving a company called SolarWinds.  This hack was created by a nation state in the hopes of learning some of the deepest secrets kept by the U.S. Government.  The U.S. Cybersecurity and Infrastructure Security Agency say the threat "poses a grave risk to the federal government".

This action was perpetrated by what is usually referred to as an "Advanced Persistent Threat" (APT).  This is fancy government speak for another government with the funds and means to spy that is beyond the means of individuals and organizations.  Experts fear that perhaps the intrusions began as early as March 2020 and have compromised a significant amount of information from the federal government.  The speculation is that the data monitoring and theft is widespread, so far  the Department of Energy  the Department of Commerce, National Institutes of Health, Department of Homeland Security (ugh!) and the Department of the Treasury have confirmed they were attacked.

Why would something like this be of interest to our profession?  First of all, practitioners are supposed to keep their data safe, but the NIH and Homeland Security can't?  That seems to be asking a lot of a business like mine with 15 employees when compared with Homeland Security, right?  But also, there are a lot of lessons that can be learned here, but one of the biggest lessons, I think, is the way these attacks were perpetrated and that aspect is something anyone with a business can learn from.  

The breach came by way of what is referred to as a "supply-chain attack".  If you've read or followed this situation at all, you've become well acquainted with the company name "SolarWinds".  The reason for that is a pretty simple one... the vulnerability that created this whole mess was brought about by a weakness in a program created by SolarWinds.  The program was supposed to help IT specialists monitor and manage large computer networks... and it worked pretty well.  In fact it worked well enough to be used by many very large companies who incorporated it into managing their computers.  18,000 companies used it.

The hackers saw a great opportunity here.  Rather than hack 18,000 individual systems, they saw a way to hack ONE company, SolarWinds, and then use that hack to provide access to the 18,000 others.  The companies that used SolarWinds had their software setup to automatically download updates to keep the system current.  So the hackers found a way into SolarWinds and hacked their software.  Then they sat back and waited while the victim's computers downloaded the program with the backdoor built into it.  Once installed, the hackers then had access to that system.

This is similar to a situation that happened in dentistry in late 2019 where a dental IT company had installed backdoor software onto their client's computers so that they could remotely access and fix problems without involving the office.  Unfortunately hackers got into the IT company's system which then gave them unfettered access to the client systems as well.

These "Supply Chain Attacks" are difficult on everyone involved.  The convenience for the client is unquestionably easier than having to have someone allow access every time it is needed; especially in a small office with minimal staffing.  This is definitely a weakness that the business owner needs to be aware of.

On the topic of SolarWinds and how this debacle came about, there is a really great Op-Ed piece available from the New York Times.  It is written by Thomas Bossert who is a true expert in this realm.  Many of you may know Mr. Bossert as the gentleman who appeared on 60 Minutes recently to speak about how secure the 2020 election was.  He was fired by President Trump shortly after announcing that the 2020 election was the "most secure election in U.S. history".  His article is a truly interesting read on this situation.

1 comment:

  1. Easy solution: remove the supply chain. Stop using basement bargain IT companies that charge you a flat $500 fee per office while installing a ton of 3rd-party apps (supply chain) to keep their costs down.

    Find an IT company that actually knows the technologies involved instead of who to buy and resell that knowledge from.