A brief (high level view) summary of what happened:
- A group of hackers were able to add disguised malware into a system in Solar Wind’s Orion Network Management Platform that pushes out updates to organizations who use Orion.
- When the compromised Orion system pushed out the update, the organizations who received it were unable to detect anything was wrong because the Orion platform issued it as a verified part of the update.
- As of the date of this post, around 18,000 organizations across government entities and private companies were compromised.
You can find hundreds of articles that go deep into the details of how the hackers pulled this off. But what nearly all of those articles are missing is an answer to a question that everyone should pay attention to – How were they able to get access into the Orion system in the first place?
It Comes Down to People
Many months ago, the hacking group obtained access to an email account at a U.S. think tank organization. The compromised email account revealed a username and password that, when combined with a process used to trick Orion’s Multi-factor Authentication (MFA) system gave them access to the Orion update system. Read more detail here.
So, how did they get into that email account? A simple human process was skipped during the setup of the organization’s email account. They didn’t change the default secrets used to verify integrations with the email account. The hackers used the default secrets and got right in.
This is a process that no threat detection system would have caught. It’s a human risk management process that was either skipped or never put in place to begin with. A cyber risk assessment focused on finding issues in networks and other technology assets would never have caught this. Only an assessment that dives deep into people and processes would have helped.
There is no question, some very sophisticated, technical actions were pulled off to ultimately compromise the number of systems they did through Solar Winds. But the point is, this event highlights a risk management failure that every company using email can be been victim to.
An article on the same Solar Winds hack topic from Wired discusses details that were revealed where some Solar Winds admin accounts were still using default passwords. There’s no telling at this point if that was at play in this event or not, but it’s another highlight of the same risk management issue of missing the huge risks associated with people.
Across the majority of cybersecurity assessment frameworks including the ones we offer in our platform, people and processes account for nearly 80% of the questions asked. And yet, billions are spent every year on new cyber technologies while people and process risk still remains the biggest threat.
We all love to geek out on cybersecurity technology (our team at SecurityGate.io is no exception), but make no mistake, cyber is people.
We’re a part of this community and feel an overwhelming desire to help.
Let’s address the elephant in the room – yes, we sell software designed to help, but that’s not what we’re talking about here.
We understand there are a lot of cybersecurity teams, leadership teams and boards that are beyond alarmed and stressed right now. It’s the holiday season. It’s supposed to be a time of peace. If you’re not sure what to do, or where to start, our team is here and we want to be helpful. We’re happy to listen and provide as much advice and guidance as we and our network of cybersecurity subject matter experts are able to. We’ve set up a special email address for this, please don’t hesitate to use it.
Send us a note any time at [help at securitygate.io].