The SolarWinds Orion software compromise has grabbed headlines like few other cybersecurity events in history. It will rank as one of the most serious security breaches of all time, and be studied as an early example of a supply chain insertion attack, performed as part of nation-state cyber espionage. It could have been much worse.
Read about our defense-in-depth approach to information security through our Managed Detection and Response (MDR) services. |
Had the Orion software backdoor been fully exploited and used to control the networks it managed, it could have resulted in a cyber weapon with disastrous impact. As it was, the weapon had the potential to shut down every network that it was used in, or any networks that trusted Orion-managed networks for availability. This wide blast radius is why the CISA’s guidance to Federal agencies was so broad: essentially instructing all Federal agencies to remove the Orion product from any networks they were found in, assume those networks were compromised, “assume breach”, and follow incident response procedures.
Software alone cannot effectively defend against cyberattacks.
The following observations illuminate a problem we commonly see in breach cases we are called on to manage: software alone cannot effectively defend against cyberattacks. People, process, and technology must all be integrated into any successful cybersecurity risk management strategy.
It is reported that evidence sealed in the U.S. Federal court system was part of the data exposed. We can imagine the downstream effects resulting from unauthorized access to this trove of confidential information, and the potential for a U.S. adversary to recruit intelligence assets through coercion.
There is today an over-reliance on, and false sense of security derived from, software technology that promises to do everything, to fix everything, and to replace people and process, and other critical components of proper risk management. Cybersecurity is only as successful as the skilled people responsible for using a mature, functioning process to manage risk, and the use of technology (including software) as one part of that risk management process.
We hope the SolarWinds Orion breach serves as a lesson that software alone does not itself make for good cybersecurity; it takes much more. To learn more about our layered approach to cybersecurity, download our defense-in-depth white paper.
Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.
About the AuthorsJason Ingalls, CISA, CISSP
Jason Ingalls is an engineer-turned-entrepreneur who founded Ingalls Information Security in 2010. Prior to that, Jason was an Information Assurance engineer and Incident Responder for General Dynamics for 9 years. Jason's professional career in cybersecurity has been spent delivering solutions that reduce information technology risk. Jason leads a team of professionals who deliver information security services, with a core focus on providing technology-enabled services that scale, and serving our client's as a trust advisor for cybersecurity matters.
Janine Byas, SSAP Ms. Byas is a Cybersecurity consultant who has worked in the industry since 2017. She is an experienced Incident Handler and credentialed Security Awareness Professional (SSAP), has lead multiple digital modernization initiatives inside the government and nonprofit space, and is a communications expert. Sarena O’Donnell, GSEC Ms. O’Donnell is an experienced Information Security professional with over fifteen year’s experience developing, implementing, and maintaining cybersecurity programs in highly regulated environments. Ms. O’Donnell’s foundational background in Information Security and Technology Risk Management as the ISO of a $3 Billion Virginia based Bank has allowed her to understand the opportunity in making risk-based decisions that balance business objectives, security, compliance and operational efficiency. Ms. O’Donnell currently provides virtual CISO, Consulting and Auditing services to clients in the Department of Defense, Financial Services, and Healthcare industries. Ms. O’Donnell holds a Masters in Business Administration with a focus in Information Security. and holds the GIAC GSEC. |