
Keeping Up = Being Left Behind: SolarWinds Debacle Demands Proactive Risk-Based Security
Business leaders need to view cybersecurity with a proactive risk-based approach and stop viewing the strength of their cybersecurity on what standards and compliances they’ve gained via a check-box approach. And the latest case study of ignoring that approach came last December when SolarWinds was hit with one of the most significant breaches in recent memory.
By the time a Defense Industrial Base (DIB) organization is aware of a breach like that of SolarWinds, it’s certainly too late. Fallout can range from the initial damage of the attack and subsequent downtime to potential loss of business and reputation.
For example, SolarWinds stock dropped 40% the week after the attack, however, it has slightly bounced back.1 An effective cybersecurity approach comes down to doing things proactively and correctly when nobody is watching—before the alarm bells sound.
The SolarWinds Breach
The hackers behind the SolarWinds breach used a combination of brute force password cracking and Trojan updates in a complex operation. The attack infiltrated thousands of government and private networks, gaining access to a variety of data types including credentials, financial information, and source code.2
According to the ongoing investigation, the hackers behind the attack began deploying malware in 2019 in a possible early connection to the breach.3 While the exact correlation between the 2019 malware and the December breach is still unclear. It appears the cybercriminals had back door access for an extended period, allowing them to manipulate and monitor the environment until the perfect moment came to unleash the full scale of the cyber attack.
Federal agencies impacted in the United States include the departments of Treasury, Commerce, Defense, and Homeland Security. While the ramifications of an attack at this scale are detrimental to any industry, few have greater consequences than DIB organizations because a cyber invasion can expose sensitive information and have potential major implications involving national security and even our way of life.
Learn More: How MSSPs Help Defense Contractors Meet DFARS Requirements
Attacks similar to SolarWinds will be difficult to avoid if you’re only deploying a conventional “best practices” checklist approach to cybersecurity. Cybercriminals are constantly adapting to the latest regulations and security protocols and taking extensive measures to avoid detection. It is imperative for DIB organizations to extensively vet their supply chain to ensure vendors and partners take every precaution to limit vulnerabilities as much as possible.
Mitigate Risks with a Comprehensive Cybersecurity Strategy
To properly mitigate and avoid threats, DIB organizations need an iron-clad, tested, and risk-based approach to cybersecurity. An effective cybersecurity strategy often boils down to an effective understanding of risk. Understanding what is important to your organization, what could threaten it, and how that could occur.
Look at it this way: you maintain home security not to meet regulations, but to protect your family. That’s what you value, and that needs to be the focus. If you look at your family and recognize you have a child who is lousy at locking the door behind him or herself, you understand a threat and how it could occur, with a burglar accessing an unlocked door. Only then can you devise an effective response that protects what you value, by adding an alarm system or moving to a safer neighborhood, for example.
Once DIB organizations can answer these questions they can create the protocols to execute an effective response and keep the organization safe.
Typically, some best practices involve:
- Patch and keep software up-to-date
- Enable enterprise-level security and encryption
- Use strong credentials and multi-factor authentication
Additionally, it’s imperative to document and ensure stakeholders understand the foundations of your risk management. Executives can’t do their jobs effectively without properly framing risk. Otherwise, you’re at the mercy of the cybersecurity workforce and tech industry’s interests instead of your priorities and needs of protecting what is important.
Don’t Stop at Minimum Compliance Standards
While meeting CMMC compliance or other regulations is imperative and valuable for organizations, it is merely the start. Compliance standards often follow years of getting owned by adversaries. By the time a compliance standard is active, it is potentially years out of date from a risk perspective.
DIB organizations can achieve true cyber maturity when they follow these requirements regularly and then go the extra mile by adapting programs, in near real time, based on what’s critical to you, what can hurt it, and how that can happen.
Achieving and maintaining Compliance, Maturity and Program Effectiveness requires dedicated resources to stay abreast of regulatory developments, threats seen in the wild, and ways to educate the entire organization on potential security problems.
Knowing Yourself – Facing Challenges in Business and in Life
How do you come to “know yourself?” For over two thousand years, texts like Sun Tzu’s Art of War have expressed the value of this exercise in battle, in life, and in business. In episode 3 of “All the War They Want,” Jeff Engle and Carmen...
Know Your Enemy – How to think like the adversary and what you should be doing to outsmart them
What does a hacker look like today? How do they operate, and how can businesses protect themselves against unknown cyber threats? In the second episode of our new podcast “All the War They Want,” GRC Consultant Bradley Barnes joins Carmen Brooks and Jeff...
Knowing the Environment – Challenges and solutions around protecting what is important to you and your business
How do small businesses defend against cyberattacks? How do they prioritize teams and resources to achieve “cyber resiliency”? Is compliance alone enough to stay safe? In this episode of All the War They Want, Liz Nurse joins Carmen Brooks and Jeff Engle...