You've most likely heard the recent news of the large Solarwinds breach that was discovered in December of 2020. While there is a lot of information out there already and more coming almost daily, we wanted to take the time to break down the attack and discuss some takeaways from a small business point of view. To listen to a podcast version of this discussion visit www.mapletronics.com/podcast or search "Mapletronics Tech Talk" on your favorite podcast app.
Overview of the attack, who was effected, and what effects have come out so far from the breach?
Solar Winds has a network monitoring product called Orion that is geared toward federal government agencies. In March of 2020, a hacker group believed to be a affiliated with the Russian government was able to place malware into Solar Winds systems.
The malware installed malicious code into an update for the Orion software and this update was installed onto about 18,000 networks that use Orion.
Homeland Security, State Department, and the Treasury Department were affected among many others including Microsoft. The malicious update gave hackers broad reach into the systems it infected. This means the hackers could see nearly everything in the network including files and email This type of attack is called a Supply Chain attack as it installs within normally safe software or updates and spreads to all who install. The malware laid dormant on Solar Winds systems for at least 2 weeks before deploying into the update.
When we look at this large breach in a more practical small business sense and begin to think about how we can better protect our own organizations the concept of a Zero Trust network is something to consider. Here is a summary of what a Zero Trust Network entails:
Implementing a Zero Trust architecture in your network can help mitigate a Supply Chain attack. We have always been concerned with our network’s perimeter and now need to think about it internally by preparing for the fact that a virus is going to get through our perimeter defense. Zero Trust incorporates least-privileged access which means users and programs in your network can only see and use what they need to use among other internal security facets.
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Micro-segmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time. Read more about zero trust architecture here.
Another important aspect to protecting your organization from a breach similar to that of the SolarWinds breach is having a robust system in place for detection, so if a breach happens you can quickly identify it and decrease the implications from the event. What does a detection strategy look like for an organization?
For years organizations (including us here at MapleTronics) have focused primarily on prevention as a tactic to keep hackers from accessing data. While prevention such as firewalls, passwords, and anti virus software remain very important, it's not necessarily enough with how advanced hackers are in 2021.
In addition to a robust prevention strategy, organizations should consider using a detection strategy such as a SIEM to help monitor their network and quickly be able to identify when a bad actor has gotten access. A SIEM works by collecting and reviewing your log files in real time. All of your network devices generate log files when any events or actions occur. If, for example, a new software is installed to your computer and your computer starts talking to another computer in China and a new network process is started, log files are automatically generated. These log files typically just sit on your device and are purged by the device after a period of time. These log files are actually very important in detecting an anomaly on your network if they are monitored. A SIEM does this monitoring for you. Read more about a SIEM here.
It is logical to conclude that because the SolarWinds breach sat undetected from May 2020 - December 2020, if all of the organizations involved would have had a SIEM monitoring their networks the breach could have been discovered long before it was. This could have theoretically minimized a portion of the damage done.
What are some other areas of focus that small businesses can begin looking at to prevent a breach like this from impacting their organization?
Continue focus on Human OS - we've said it before and we'll say it again. The biggest threat to your organization's security is the users that have access to your network. Be sure to regularly educate your users so they know how to avoid being a phishing victim and keep your data protected.
MFA - While a complex password is still an important step in securing accounts, Multi-Factor Authentication (MFA) continues to be even more important. MFA adds an additional step to the login process by making you verify your identity with a code generated either by an app on your mobile device, a text message, or an email. Adding this additional step to logging in makes it much harder for unwanted agents to gain access. Whenever you have the option to turn MFA on you should do it to help protect your data.
Have a robust backup system in place - while no one wants to think about having a breach or having data held ransom, it is the unfortunate reality for many small businesses. Having a plan in place for if the worst case scenario happens is very important. Whether you choose to back up to the cloud or use an on premise device, make sure you have a way to access your files if you loose them and make sure you regularly are backing them up.
While the SolarWinds Orion breach affected several very large corporations, as you can see there are several key takeaways for small businesses to take into consideration. If you have any questions or would like more information about anything discusses please reach out to us. You can contact us here or call us at 574.534.2830.