During the 2020 holiday season, I felt a disturbance in the force as if 1000s of cybersecurity professionals suddenly cried out in terror. Not only did people need to immediately drop whatever they were doing and start remediation plans, it was also a stark reminder of just how helpless organizations are in terms of supply chain defense.
Let’s revisit one of the destroyers of the holidays last year.
The SolarWinds Attack
The largest publicly known supply chain attack was disclosed in December of 2020. If you haven’t read about it yet, the SolarWinds announcement is here. Supply chain attacks are an emerging threat that target software developers and suppliers. The goal is to access source codes, building processes, or update mechanisms by infecting legitimate apps to distribute malware.
The scale of the SolarWinds breach is massive and hard to overstate. Upwards of 18,000 companies were made vulnerable to attacks. The number of companies compromised is likely unknown to everyone except for the attackers themselves. The attack was so successful that if not for the attackers publicly ridiculing FireEye, one of the top cybersecurity firms in the world, by releasing FireEye’s internal tools, the attack may not have been discovered. Let me state that differently, if the attackers had not intentionally let FireEye know about an internal breach, then it is likely no one would have discovered the source, SolarWinds, yet. It would be impressive if the fallout wasn’t so widespread and impactful. And again, I don’t think you can overstate the impact to the firms that were ultimately targeted.
ClearStar continues to field a fair number of questions concerning our own exposure. ClearStar does not utilize any SolarWinds software. However, it’s clear from the scope of the questions that a lot of organizations are rightfully concerned about SolarWinds deployments. (As a precaution, ClearStar also investigated known IOCs related to the breach and found zero beaconing related domains. Not that we expected to find any, just us being diligent.)
But let’s not miss the forest for the trees.
The Real Issue
The SolarWinds supply chain attack won’t be the last because everyone is vulnerable to supply chain attacks. Software development process standards aren’t widely accepted. No organization is truly required to utilize multi-factor authentication everywhere. Organizations aren’t always focused on understanding how third-party libraries might bring outside vulnerabilities into scope on company assets. There is very little transparency in what components make up software. There simply isn’t a set of standards that says your code is safe.
And not just your code.
When was the last time your internet-connected alarm panel was updated? When was the last time you investigated if the embedded TCP/IP stack on your internet-connected alarm panel was completely up to date, but perhaps still vulnerable to Ripple20? What about printers, UPS systems, IP cameras, or video conferencing systems? What about the water we drink?
The Possible Solution
Looking forward into this year, let’s all hope that the Consortium for Information & Software Quality group makes progress on releasing their proposed Software Bill of Materials approach. Being able to develop a SBOM repository that is easily queried and shared would go a long way in helping organizations better understand risks. Software composition analysis is another subject that more and more firms outside of the Fortune 500 are taking seriously. SOC2 reporting is becoming a requirement for any company looking to provide B2B services as are certain ISO certifications.
But you’re a background screening company? Why are you talking about supply chain risks and software?
No, ClearStar is a technology company. Our focus is helping others manage risk with background and medical screening. That’s because employees are a source of information capital. Just as companies can’t afford to ignore the risks with supply chain attacks, neither can they do so with their employees. Companies have entire departments setup for managing risk, vulnerabilities, and cybersecurity yet for some, a single employee background check during onboarding is enough.
For companies serious about success, security, including background screening, must be an ongoing effort. This is for the record.
Additional links concerning the SolarWinds attack:
For The Public Record is a monthly blog featuring thought leadership from the most seasoned experts at ClearStar, across all functions of the background screening process. Click here to subscribe.