SolarWinds supply chain attack, in which hackers (believed to be working for Russia) have tampered with software updates released by the company. Known victims of the attack so far include the US treasury, the US NTIA and FireEye itself.
I am left wondering if the "highly-sophisticated, targeted and manual supply chain attack" against Solarwinds was against an OSS library they used or targeted directly at the source code by an insider. https://t.co/Rxc4HrVNcw
— Jerry Gamblin (@JGamblin) December 14, 2020
Experts Comments
Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.
This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is
.....Read MoreCode signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.
This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization\'s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.
Here are some best practices to mitigate misuse of keys and certificates:
- Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
- Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
- Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
- Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
- Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.
Linkedin Message
@Chris Hickman, Chief Security Officer, provides expert commentary at @Information Security Buzz.
"Code signing is one component of the SolarWinds breach...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Chris Hickman, Chief Security Officer, provides expert commentary at @Information Security Buzz.
"Code signing is one component of the SolarWinds breach...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond.
You can not secure what you can’t see, so organizations across every industry must react by first identifying
.....Read MoreGiven the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond.
You can not secure what you can’t see, so organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. From there, they must further hone in on their inventory by determining the version(s) that are running to evaluate the vulnerability risk that may or may not be present. Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life.
Read LessLinkedin Message
@Mark Carrigan, Chief Operating Officer, provides expert commentary at @Information Security Buzz.
"You can not secure what you can’t see...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Mark Carrigan, Chief Operating Officer, provides expert commentary at @Information Security Buzz.
"You can not secure what you can’t see...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Linkedin Message
@Jamil Jaffer, Former WH Exec and SVP for Strategy, Partnerships & Corporate Development, provides expert commentary at @Information Security Buzz.
"The jury is still out on whether or not this vulnerability has been exploited before and if it\'s part of a broader campaign. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Jamil Jaffer, Former WH Exec and SVP for Strategy, Partnerships & Corporate Development, provides expert commentary at @Information Security Buzz.
"The jury is still out on whether or not this vulnerability has been exploited before and if it\'s part of a broader campaign. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Linkedin Message
@Nethanel Gelernter, CEO, provides expert commentary at @Information Security Buzz.
"This attack demonstrates the thought of the modern hackers and the new attack surface. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Nethanel Gelernter, CEO, provides expert commentary at @Information Security Buzz.
"This attack demonstrates the thought of the modern hackers and the new attack surface. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Linkedin Message
@Ekaterina Khrustaleva, COO, provides expert commentary at @Information Security Buzz.
"Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Ekaterina Khrustaleva, COO, provides expert commentary at @Information Security Buzz.
"Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Linkedin Message
@Piers Wilson, Head of Product Management , provides expert commentary at @Information Security Buzz.
"A holistic approach to cyber-security is vital to ensure defences are as effective as possible. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Piers Wilson, Head of Product Management , provides expert commentary at @Information Security Buzz.
"A holistic approach to cyber-security is vital to ensure defences are as effective as possible. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Linkedin Message
@Kevin Bocek, VP Security Strategy & Threat Intelligence, provides expert commentary at @Information Security Buzz.
"Adversaries are quickly moving to attack not just one computer but entire networks. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Kevin Bocek, VP Security Strategy & Threat Intelligence, provides expert commentary at @Information Security Buzz.
"Adversaries are quickly moving to attack not just one computer but entire networks. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Be part of our growing Information Security Expert Community (1000+), please register here.
The SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown.
What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal
.....Read MoreThe SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown.
What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States, stealing vast amounts of data in the process.
Supply chain attacks like this have been a concern for the security industry for a long time; the threats posed by supply chain attacks are severe as not only are they typically more difficult to detect, but they often come through trusted third-parties with high levels of access to sensitive and classified data.
This is where the problem lies. This demonstrates there is no such thing as an unreachable network, yet many organisations are still focused on controls that secure the network. The emphasis instead should be on controls that secure data. With a data-centric approach, organisations can ensure that even if the network of one of their suppliers or a trusted third party is compromised, their data will be secure. A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4 encryption, means that even if cyber hackers manage to infiltrate a network and ‘steal’ data, the contents of the data will be unreadable and effectively rendered useless.
This won’t be the last data breach of this kind that we’ll see, so serious lessons need to be learned. These attacks are called ‘data breaches’, not ‘network breaches’, for a reason, so focusing on securing data is the only way for organisations to avoid becoming the next victim.
Read LessLinkedin Message
@Paul German, CEO, provides expert commentary at @Information Security Buzz.
"A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight
Facebook Message
@Paul German, CEO, provides expert commentary at @Information Security Buzz.
"A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/solarwinds-supply-chain-cyberattack-experts-insight