By now everyone in the security world has heard of the chaos surrounding the SolarWinds breach and the ensuing mess that has erupted. The media has certainly paid a lot of attention to this story. In fact, Fortune magazine featured an article entitled, “A Digital Pandemic Tops off Coronavirus Woes.” With so many companies and government agencies affected, I’m sure we will continue to hear about the story and damage for many months to come.
Let’s take a step back from the rhetoric for a moment and use this as a learning opportunity, and maybe we can make a few comparisons to the COVID-19 global pandemic as a way towards helping prevent a real digital pandemic. With that in mind, let’s discuss hygiene.
Good Hygiene Goes a Long Way
The old adage may say it best…an ounce of prevention is worth a pound of cure. One thing we have learned from the COVID-19 pandemic is that tried and true best practices for proper hygiene were necessary to prevent things from getting worse. Wash your hands, cover your mouth when you cough, and stay away from people and places that could cause infection.
Attacks on companies to gain access or control of their software is a digital pandemic. We recently saw this with FireEye, SolarWinds, and the failed attempt at Tesla. Sunburst, the particular attack strain against SolarWinds and FireEye, was extremely dangerous. So how do we protect our businesses? It is like protecting ourselves from COVID-19. We do so with proper hygiene:
1. Ensure you have the right Personal Protective Equipment (PPE). For COVID-19 this means masking up to prevent the virus from entering your body. For protecting a software development environment, it means protecting your signing and SAML keys with an HSM, as both Microsoft and the U.S. National Security Agency (NSA) have recommended. This is the best PPE approach for protecting those valuable keys. Furthermore, fixing the weak links in the supply chain by testing all software (including from a third party) is another measure that can protect your infrastructure, the way you guard your household by evaluating anyone or anything that you and your family come in contact with.
2. Control access to the most vulnerable resources. For COVID-19 this means defining who is privileged to be a part of your bubble. Who is considered important and necessary? This is true for your data. Restrict access to your data by limiting its access and enforcing least privilege access. You do this by only allowing users to access resources and applications with identity and access management (IAM) solutions. Sometimes you will have to allow people who are outside your usual permission bubble—like when your child invites a friend over. While you can tell the kids they are limited to only accessing the backyard, you still need to stay vigilant and protect the inside of your home. You need to make sure that if some data is ‘touched,’ your entire house isn’t infected. You need to isolate and limit spread by assuring that all data follows least privilege access, even from insiders (welcomed and not welcomed). This is well explained by our blog posts, Use Encryption and Access Controls to Mitigate Malware and Ransomware Damage, How Ransomware Leverage Unprotected RDPs and What You Can Do About It and our ransomware mitigation demo.
3. Contact tracing. Like the real-world, your business is complex, and mistakes happen. When this is the case, you need to quickly stop the spread of infection to minimize damage. This is why it is important to log all successful and failed access to devices, applications and data. This sounds obvious, but do you know about all of your file activities? You surely capture access and network logs, but what about data access? Most companies don’t. This is akin to having an asymptomatic COVID-19 carrier silently spreading the virus across your servers. Infected carriers are accessing the data, they are escalating privileges, and most companies don’t know for months. In fact, 56% of companies reported Privilege Abuse, using legitimate access for illegitimate purposes (Verizon 2020 Data Breach Investigation Report). Solve this with advanced encryption products that offer file activity monitoring.
4. Get the vaccine. Is there a 100% effective vaccine, today? No. However, getting a vaccine will help your body to defend itself. Similarly, encryption is a powerful failsafe. If your business is breached, but the stolen software or sensitive data is encrypted or tokenized, and the keys have strong protection, it isn’t going to necessarily make your business immune. However, even after we take a vaccine, we want to continue to be aggressive about protecting ourselves and our businesses. We don’t want to take any unnecessary risks by solely relying on a single security solution. Even after a flu shot, we should still continue to wash our hands and take precautions.
5. Listen to the experts. The U.S. Centers for Disease Control (CDC) provides guidance on how to minimize the risk of COVID-19 infection and how to reopen businesses safely. Similarly, organizations should listen to the cybersecurity experts like the U.S. National Institute of Standards and Technology (NIST) on authentication assurance, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) on vulnerabilities and remediation, and the International Organization for Standardization (ISO), the defacto standard for information security management.
None of this is a new or novel approach to information, DevOps and organizational security. Taken together these measures are a very effective way to prevent the next “digital pandemic.” It is important to understand that no one of these approaches will solve the problem, and dropping the guard anywhere along the chain of security hygiene can cause an opportunity for infection. As we all now know, hygiene is a continual ongoing process that must be adhered to diligently. It is no longer considered an option. The same holds true for your organization, where layers of security as a best practice for your digital defense has held true for decades and still holds true today.
To learn more about how HSMs provide the foundation for digital security, An HSM’s role in securing digital transformation Luna HSMS- the foundation for digital security.