Refresher: SolarWinds is that company that develops IT management software. The hack (suspected to be carried out by the Russians[1]) involving SolarWinds' systems and software penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.
This is a helpful reminder because upon reading the headline I immediately confused this company with the solar roof company Tesla acquired a few years ago.
I was thinking of Solyndra, the company whose executives misled federal officials to obtain $535 million in government-backed loans, with the help of former President Barack Obama's White House
> (i) used weak passwords for its software download webpages such as “solarwinds123”
> (ii) did not properly segment its IT network
> (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software
> (iv) cut investments in cybersecurity
> (v) listed its sensitive and high-value clients on its webpage for anyone to see.
I, for one, am shocked!
I think (hope) the importance of secure software may finally become better respected by companies. Seems ransomware is now only the beginning, since you'll later be sued as well!
>> (i) used weak passwords for its software download webpages such as “solarwinds123”
Humor me: Why is this bad? I would naively expect software downloads to be almost-public, possibly actually public but non-functional without a license key or such. Unless they did something separately bad like baking private keys into distributed software, I can't see where this hurts anything but already-weak security by obscurity.
While I generally agree that solar winds was lacking a lot on their internal DnR team (iv cut investments in cybersecurity) a lot of the identified issues are things that are seen in businesses EVERYWHERE.
Until recently I was a pen tester and (just a guestimate) 9/10 clients that I do testing for don't properly segment IT networks, use weak passwords for things they shouldn't, and list sensitive and high-value clients on their webpage (they are trying to draw other customers in).
I'd like to clarify two points:
1. It doesn't matter how much money you spend on security - there will ALWAYS be a way for attackers to get in. E.g. Log4J issues recently. There is always gonna be another zero-day or a new email phishing payload or a new NSA hacking tool leak and at most a big company can pay a lot of money and hire a lot of engineers to Reduce the chance of something bad happening.
2. None of these practices are really that unusual (I've seen plenty of software that recommends to tell your AV to ignore it.) and actually managing and knowing about every single credential/password etc in a corp network is almost impossible. Usually things like the FTP server with a weak password get set up long before the company hires their first security engineer, and then refuses to make changes to existing stuff that would take a lot of time and effort.
I do feel that SolarWinds is on the hook for this, especially egregious is (iv cut investments) because of their exceptionally high value clients and the level of access they get into client environments.
However, I don't think it would have mattered much how much money they put into their security team, the team that ran the operation was likely a state-sponsored team and they probably had the funds/people/time to crack such a juicy target regardless of how difficult it was going to be.
> a lot of the identified issues are things that are seen in businesses EVERYWHERE
Exactly this is the problem. And exactly this shit needs to stop asap!
What you're basically saying is: "Software can't be secure at all. So what's the point?"
This line of thinking is completely flawed.
Software is in the end a mathematical construct and can be even proven secure (according to some arbitrary formal definition of "secure"). That's only a matter of the amount of money you're willing to throw onto this problem in the long run!
Starting to jail the people actually responsible for all the daily IT security nightmares (those people are not the developers!) is the only way to get to an end with all the madness modern software development is.
As long as the "bugs are an ordinary part of software" attitude prevails nothing will change. But this attitude can only change if the responsible people start to feel consequences for creating one tire-fire after an other—and getting away with it every time.
Harm for solarwinds is a lot more than the 24% decline in revenue. When we signed our cyberinsurance policy they made us attest that we had no solarwinds software running in our network or on company assets.
If you were underwriting business insurance policies, wouldn't you insist that the policyholder did due diligence in terms of updating software with known vulnerabilities?
Moreso, when a company has demonstrably bad security habits, would you want to insure their clients?
It is a bit like home owners insurance companies that won't insure your house if you have a fireplace, or extend liability coverage if you have a particular breed of dog or exotic (and dangerous) pet.
Blacklist an entire company's products? That's the weird part. Solarwinds had a pretty bad issue, but Microsoft has had plenty with Windows throughout Windows' lifetime (probably more than Solarwinds). Why is Windows not blacklisted? How about Apache?
It seems like they added Solarwinds just because it hit the news.
The really interesting things are the apparent areas for redaction in the original lawsuit [0] pdf. For example:
1. This action asserts derivative claims on behalf of SolarWinds against current and former members of the Company’s board of directors (the “Board”), for their utter failure to implement or oversee any reasonable monitoring system
concerning [redacted] cybersecurity risks fundamental to SolarWinds’ only line of business. [entire sentence redacted]
2. Paragraph 5 is redacted entirely, but paragraph 6 states "these warnings underscored the specific and heightened risk." Does that mean that paragraph 5 contained notes from previous warnings that were ignored? If so, that's very interesting.
3. Paragraph 7's last sentence on warnings is redacted, and paragraphs 8, 9, and 10 are redacted. Paragraph 11 starts by saying that oversight failures were at play. Perhaps people inside were both warned and ignored warnings prior to the attack taking place?
The rest of the complaint contains a very similar pattern: large swathes of redactions in and around failures to monitor the situation and failures to account for risk exposure.
Paragraph 79: "By utterly failing to implement or oversee any reasonable monitoring system concerning the Company’s cybersecurity risks, SolarWinds’ Board disabled itself from being informed of mission critical risks at the Company and breached its fiduciary duties to the Company and its shareholders."
Massive laps on security do not just happen. I am sure there are TONS of internal communication and likely external communication highlighting various security concerns. Often these are ignored by leadership in favor of things that direct increase quarterly earnings or directly reduce cost
It is a tale as old as the information technology industry
It is really common for any company that wants to maintain certain levels of compliance that they get a security audit. There are generally two paths forward for anything that is found, fix it... Or the terrifying path that is more commonly chosen "add it to the risk register". Company risk registers are signed off on by the boards, or more commonly an appointee of the board that is acting on their behalf. The risk register itself is almost never available outside the company except in some cases to major shareholders, or large business partners that make access to it a condition of a large deal.
I suspect what happened here is they were told of the issues and added them to their risk register them promptly forgot about them. By doing so they accepted the liability if those risks ever became realized which would open them up to a lawsuit like this.
I'm curious about the general effect of breaches on public corps' stock prices.
This one took a dive after their breach and kept going down. Experian, as a different example, has been on a tear for 10+ years with only smaller transient dips, despite millions of consumers injured.
Is there precedent for holding the board personally liable for something like this? That seems both morally questionable, and with lots significant negative effects to how organizations run.
Not bashing Solarwinds because I think they are a good company, just explaining how this works:
The board is responsible for what the company is doing; not for the actions of every single employee, but for setting policies, make sure they are respected, hiring competent people etc.
Today the SOX is already holding the CEO and the board personally responsible for financial reporting. I think it is criminal responsibility there. It is not much different to hold them responsible for the results of the company, especially if any of the accusations can be proven.
The interesting part will be the effect on changes in the way tech companies are managed. For example in some very large companies most people are hired based on criteria that don't include skills; for example in my company IT people are hired without any IT interview, they get points (in US) for race and gender, outside US on gender. If something happens and these people blow up some FDA regulated products (most of our products are FDA regulated to some degree), is the board be personally responsible for a situation they created? I bet they are.
There are also many companies where policies exist on paper, but nobody is respecting it. The ISO 9001 certification is famous in parts of Europe, it is mandatory for some IT companies but it is just a bunch of paper in a closet that nobody ever read. Is the board responsible for such a situation? Of course it is. Board members are not appointed only to have friendly meetings talking about golf, with people being board members in a dozen of companies and doing just golfing and board meetings, but to top level set the directions for the company. If you set the company on self-destruct, they should be held responsible for it.
> they get points (in US) for race and gender, outside US on gender
I was thinking about white males being privileged and it sounded ridiculous ( as a white male). Did you mean the opposite for diversity on the workfloor?
> but it is just a bunch of paper in a closet that nobody ever read.
ISO certification mostly means that there are standards in place. Once it's implemented, you shouldn't notice it.
It's pretty important as soon as you want to do business with the governement.
The ISO certification should tell there are standards that are in place; if they are just written on a piece of paper and never implemented ("nobody ever read"), the certification is worthless.
In US if you are a black female if you apply and you can read and write, you are automatically hired. If you are a white male, you will not be even interviewed and if you are already in the company you will never get a promotion.
In my (IT) department the past 10 year history is 10 to 1 promotions for female versus male. Over 40% of the organization is female (it was over 90% male 10 years ago, there are still some men left from old times) and in management it is over 60% with the target of 70% female. Unrealistic for a pure IT company, but very achievable for a very political non-IT company.
can't tell from the comment if you believe that the actions of the board is morally questionable that somebody holds these creeps accountable. mate who works in sales was in a room with them on a trade-show last year and they downplayed the incident and told their customers that they have mitigated all future risks. I hope the lawsuit will rip them a new one!!
Exactly. This lawsuit is getting a lot of attention in board rooms because the pension funds are saying that the board is personally responsible and have been negligent in their responsibilities under SEC and NYSE regulations for cybersecurity.
[1] https://web.archive.org/web/20220101181934/https://www.nytim...