What can agencies do today to guard against hacks like SolarWinds?
The recent SolarWinds supply chain hack will go down as one of the most serious of 2020, but it’s likely to be just the beginning of more concerted efforts by bad actors to interfere with security in both the government and private sectors. To stand a better chance against being victimized by this and future incursions, agencies’ best bet would be to adopt a zero-trust approach and ensure they have strong supply chain risk management plans in place.
The most recently available information indicates the SolarWinds hacks were perpetrated by foreign state actors and that trojanized patches to the SolarWinds Orion product had allowed hackers to compromise several public and private organizations. These same reports indicate that the Departments of Homeland Security, Agriculture, Commerce and Treasury were affected, and other entities around the globe also may have been victims. Cybersecurity companies were similarly affected by the hack, including the cybersecurity firm FireEye.
The Cyber and Infrastructure Security Agency has directed that the SolarWinds network management product Orion be completely turned off of federal networks, but let’s face it – that’s like locking the barn door after the horse has escaped. Until current remediation efforts are completed, it’s fair to wonder what damage this data breach may do in the future and how many other backdoors have been implemented.
Zero trust and encryption for data protection
Zero trust may be one way government agencies can protect their data from these types of attacks. An IT network design approach, zero trust begins with the concept that that networked devices should not be trusted by default, even if they are connected to a managed corporate network and were previously verified.
In short, with zero trust agencies must act as if someone or something has already compromised the network. It is a journey consisting of many layers, processes, steps and strategies within the infrastructure — whether that infrastructure is in the data center or in the cloud.
But given the many nasty things likely to be lurking inside networks, what can agencies do this very minute to minimize the potential threat? Not surprisingly, data encryption tops the list.
The annual Thales Data Threat report has always stated that the most effective way to thwart hackers is to encrypt data with access controls.
Data at rest is by far the greatest target for hackers. Stealing data at rest is far easier than attacking data in motion. To best secure data, agencies should discover sensitive data in any form (that means checking files, databases and even big data analytics) wherever it resides — on premises, in cloud and virtual environments and across back-up systems. This sensitive data should then be protected through encryption, granular access controls and multifactor authentication. This process applies protection directly to the data and ensures only authorized users have access to it. It also protects user credentials from being compromised and created locally on the network (which is how the hackers breached SolarWinds).
Agencies should also remember to protect and control the cryptographic keys used in the encryption process. These “keys to the kingdom” should be secured and managed in a FIPS 140-2 certified key manager for maximum protection. Data encryption is especially critical when dealing with cloud infrastructure. According to the Cloud Security Alliance, a best practice is to encrypt data in the cloud and manage the encryption keys on premises inside a FIPS-certified boundary with delegation of duty. (More information on CSA’s best practices for encryption can be found here).
Agencies that cannot deploy their own cloud encryption should adopt bring-your-own encryption keys to their cloud service provider so they can control their own encryption key lifecycle.
The supply chain is the weak link
As previously noted, bad actors are not directly attacking the network or the cloud to gain access — they are attacking the products running on critical infrastructures. It is the weak link in the protection of the nation’s most important data.
Over the long term, agencies and their vendor partners should establish strong supply chain risk management requirements. Suppliers should perform validation and code signing/authentication on all updates for software running on critical networks. Additionally, suppliers should evaluate and vet all third-party software used in their products.
The current SolarWinds data breach is unfortunate, and its repercussions are likely to echo for years. The steps outlined here can address some near term solutions to protect agency infrastructure from the next vulnerability – and, in the longer term, strengthen the supply chain that supports almost every infrastructure for federal agencies, systems integrators and commercial companies.