As third-party risk professionals, we’re all too familiar with data breaches and bad actors. And, when a really nasty one occurs, especially one that could potentially threaten national security, we feel the effects alongside the rest and are strongly reminded why third party-risk management is so important.
The SolarWinds data hack has left many scrambling to pick up the pieces, while many set out to figure out how this happened in the first place. For those who still have questions, we’ll outline some background, go over what’s been uncovered so far and offer some solutions should you find your organization may be affected.
What Happened?
Texas-based enterprise monitoring software provider, SolarWinds, which serves as a vendor for more than 300,000 customers (both public and private, including every branch of the U.S. military and four-fifths of the Fortune 500 companies), has recently found itself at the center of an international hacking crusade affecting some of our country’s largest vendors. To get a bit more specific, SolarWinds provides many information technology tools which support network monitoring.
Just a few weeks ago, FireEye — a leading cybersecurity company — reported that it had been hacked, and in the process, also identified that SolarWinds’ IT monitoring and management software, Orion, had been compromised by the same crusade. The attack allowed hacker compromised software to be installed on the systems running certain tools offered by SolarWinds (Orion) and while SolarWinds has provided updated versions of the software, unfortunately, the damage has already been done. Any system which came in contact with the compromised software may be infected or ravaged of sensitive information.
The domino effect of this attack is among the worst we’ve seen, and almost daily, an increasing number of affected parties are coming out of the woodwork — many of which are resellers of affected software themselves. For example, Microsoft is one of the affected parties. Many Microsoft software licenses are sold through third parties, and those organizations can have near constant access to clients' systems as the customers add products or employees, making it even more critical to monitor the risk and access associated with third parties. Likely, the trickle-down effect of this hack has only just begun.
While the aftermath of the breach is still unfolding, here are a few of the most recent updates:
- The New York Times reported that the SolarWinds supply chain attack is believed to have impacted as many as 250 government agencies and businesses.
- Microsoft admitted that the attackers gained access to some of its source code via third-party resellers of its licenses, but the company insists they couldn’t have made any modifications to the code.
- A class-action lawsuit has been filed against some of the top SolarWinds executives, citing poor data security practices and possible collusion.
- A federal task force — which includes the FBI, CISA, ODNI and NSA — has been created to help further investigate and mitigate damage.
What Should SolarWinds Clientele Do?
First, if any organization uses SolarWinds themselves, it’s critical to verify whether they’re using an affected version. Additional detection methods have been noted in an article from the UK National Cyber Security Centre, which can be found here.
Many clients will also want to check with their vendors, especially those with personal identifiable information (PII)/sensitive data access, as to whether those vendors were using the compromised version of the SolarWinds tools.
5 Questions to Ask Your Vendors
Some of these questions should include the following:
If the answer to the first question is “No,” there’s no need to continue further.
- Are you currently running, or have previously run, a known affected version of a SolarWinds product?
- Have you updated the affected products to the now current, unaffected version?
- What actions are you taking to mitigate the risk of the systems being compromised?
- Are you aware of any suspicious activities or compromise of data related to this SolarWinds incident?
- Are you aware if any third parties you share our data with use, or used, affected SolarWinds products? If so, what data is shared with them and what mitigating activities are they taking related to this SolarWinds incident?
The SolarWinds hack is a strong reminder why third-party risk management is so important. Not only was SolarWinds breached, but so were many of their own clients and vendors as a result. It’s critical that you know what third-party risk management and cybersecurity measures your vendors have in place to help prevent a breach and protect your data at all times. You never know where a bad actor may be lurking.
Have you been affected by the SolarWinds breach or a cybersecurity issue with a different vendor? Find out what next steps to take. Download the infographic.
