SolarWinds: Who’s to Blame? Going Beyond the Cloud

In February, the Senate Intelligence Committee hosted a hearing about the supply chain attack that affected SolarWinds and dozens of other companies and federal agencies, raising four key issues:

• How Amazon Web Services may have been used to host malicious infrastructure;
• Why the attackers conducted a “dry run”;
• What the true motives were for the attack, which apparently was waged by Russian hackers; and
• How the incident could lead to better cyberthreat and intelligence information sharing.

While these points are all valid to uncover the scope and motive of this attack, they do not help credit unions understand the necessary actions to improve protection. The lesson of this breach is not limited to SolarWinds. For credit unions considering how to respond to the SolarWinds breach, simply dropping SolarWinds as a vendor will not eliminate vulnerability of the systems and vendors that have access to your network. Credit unions need to assess all of their vendors to understand the remote monitoring and management tools installed on their networks, and how they manage security and mitigate risk when using those tools.

Credit unions are responsible for the security of their members, with the understanding that the supply chain is inherently vulnerable. Credit unions are technology aggregators, providing tools to their members from various vendors, which increases points of vulnerability. Therefore, it is critical that credit unions better understand what technology is in use, what it does and how it all is connected. More importantly, relationships with technology vendors must be managed as if they are internal team members. Security is the responsibility of credit union leadership.

Vendors and credit unions are most certainly using tools like SolarWinds, and hosting software applications through Amazon Web Services (AWS) or Microsoft. They should be. But vendors need to be managed and selected based on their ability to work aggressively on behalf of their clients and credit unions to mitigate the risks associated with these environments. Credit unions need to understand the security practices of these vendors, by asking the right questions and demanding transparency from those vendors. Cybersecurity requires complex planning, monitoring and agility. It is never appropriate to have a one-time solution. Cybersecurity has to continuously evolve and adapt to stay one step ahead of threats.

To blame AWS for not breaking security standards by peering into confidential and secret IT environments violates the integrity of what they do as a cloud provider. This breach could have occurred no matter where SolarWinds was hosted or where the hackers bounced their data. To blame AWS is a distraction from the bigger issue. By that rationale, if the bad guys were sitting in a Starbucks in Ukraine while they were orchestrating the hack, then no one should ever go to a Starbucks again.

This event is an opportunity for us to learn and improve before it affects our members. The number of cyber-attacks that occur daily is staggering. The sheer number is enough to make anyone concerned about the state of technology and ensuring that businesses are leveraging the right vendors, products and practices. This situation requires urgency and needs to get solved quickly because for every new advancement made on the defensive or proactive side, another is made on the offensive side.

Just like our own immune systems, the ability to share knowledge of how to thwart an attack, or when and where attacks are happening, can make the difference in whether an organization must close its doors due to threats such as ransomware. By having shared databases of IP addresses, attack types, threat analysis data, and most importantly shared frameworks to automatically add that information into our cybersecurity tools is something that the world needs to take very seriously. It is not an “every organization for themselves” situation because if any single organization continues to be successfully crippled by these attacks, the attackers will continue to have motive. Instead, an “all for one and one for all” mentality really needs to be leveraged to protect business and public infrastructure. And what better industry to collaborate and share threats than credit unions. By working together, we can protect all of our members.

Credit unions are responsible for their members’ data, period. Member data is everywhere. They have vendors using clouds, vendors providing management with SolarWinds and other similar problems. We all have risks – SolarWinds wasn’t the first and it won’t be the last.

There is a plethora of technical best practices and tools that can be leveraged to mitigate risk and attack scenarios, but ultimately mitigating risk requires enacting frameworks and policies, which have been around for some time and take nothing but a little planning, dedication and time. Implementation of those tools in layers with well-designed policy is often the best course of action. Least-privileged access, zero-trust networks, patch policies, network segmentation and data segmentation are all concepts that an organization of any size can leverage to mitigate the majority of risks. But each credit union must build the strategy that works for them. Hopefully we can all help each other to protect the industry.

Chris Sachse is CEO for Think|Stack, a cybersecurity firm specializing in support for credit unions and non-profits based in Baltimore, Md.  

Zachary Hill is Chief Technology Officer for Think|Stack.