THE FIREEYE & SOLARWINDS BREACH – WHAT NOW?
Monday’s cybersecurity news cycle will be dominated by the suspected Russian hack of the Department of Defense, Department of Commerce, and the Department of Treasury. As first reported by Reuters, with additional coverage by The Washington Post and Forbes, the National Security Council scheduled an emergency weekend meeting (abnormal for any bureaucrat) to address the scope and impact. The Cybersecurity Infrastructure and Security Agency (CISA), which recently saw a change in leadership last month, is certainly going to be busy. And here, I thought I was going to be on an opinion watch from the United States Supreme Court on the pending Computer Fraud and Abuse Act case.
What does this mean for private industry, state, and local governments? First, gather information on how the successful attack occurred and look for similarities between your organization and the known victims. Fortunately, the two vendors through which the attack was launched identified themselves: FireEye and SolarWinds.
FireEye, a publicly traded cybersecurity company headquartered in California boasts significant government and private sector contracts. Its security is based on a single platform concept that utilizes Mandiant intelligence and security validation services, while collecting IOCs from each of its customers to enhance its “Red Team” and endpoint security and detection tools. SolarWinds, located in Austin, Texas, is also publicly traded and provides monitoring and administration management software for its customers. Often a legacy program given its longevity in the marketplace, it is suspected that the Russian hackers infiltrated SolarWinds through supply chain attacks.
Therefore, if your entity uses either FireEye or SolarWinds for cybersecurity or database management, respectively, consider utilizing a separate cybersecurity consultant to assess current exposure. Looking at the current state of events in the world and the entities known to be targeted, healthcare institutions need to pay the most attention given the imminent distribution of COVID-19 vaccines. Contact your entity’s MSSP today to ask if you are a FireEye or SolarWinds customer.
Second, double/triple check all back-up data storage in the event of a realized crisis. Third, if your entity has a chief security officer or chief information security officer, allow him/her to manage the situation with access to sufficient resources. If he/she feels the need for a third-party security audit is ripe, indulge the request.
And finally, consider this incident as necessitating diversity in security. FireEye and SolarWinds both brag that they represent/manage all branches of the Department of Defense, multiple agencies of the federal government, and several of the largest telecommunications providers. Therefore, the targets on their backs were enormous. If your entity has multiple affiliates or segregated networks by offices, use different security and management vendors, so that a single point of failure does not cripple your infrastructure.
Good luck to all in the next several days.