Starting last week, news of the data breach at the US Treasury that occurred via the network management platform SolarWinds Orion (which, as a quick aside, Suite3 does not leverage as part of our solutions stack, nor for the monitoring of our internal networks) started to be released to the public. As research into the root cause of the exploit are released, key lessons begin to emerge.
In an article released in the evening of 12/15/20, security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”. While researchers stated that this was not the most likely source of the exploit, the distribution of the exploit has been confirmed that malicious actors, rumored to be a Russian nation-state intelligence organization, leveraged the update process to distribute malware via the SolarWinds update process which went undetected. They then gained access to compromised systems and were able to conduct their actions of malicious intent.
Putting the fact that we are potentially in an cyberwar with other nations aside, the key take-away for businesses is that this is a perfect example of why implementing expected password standards as part of a company’s Information Security Policy as well as training end users on those policies is so important. Someone at SolarWinds thought that was an appropriate password, and it fails all sorts of password hygiene litmus tests – for example, it’s never a good idea to use the name of the company in a password, nor leverage sequential numbers. These Information Security issues occur at organizations of all sizes, and it’s a great example that sometimes the simplest steps can improve security the most.