Keith via plug on 16 Dec 2020 09:35:43 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: SolarWinds

On 12/16/20 11:37 AM, K.S. Bhaskar via plug wrote:
Spot on, Rich. Where we may disagree is that I don't think small companies should be cut any slack.

That said, it's usually the big companies that get cut slack: think of all the people that use Zoom despite the company's established track record of lax security. Or Microsoft… This is just an extension to IT of the decades-old saying, “If you owe the bank $1,000, the bank has you in its power, but if you owe the bank $1,000,000, you have the bank in your power.”

– Bhaskar

On Wed, Dec 16, 2020 at 6:36 AM Rich Kulawiec via plug <> wrote:
On Tue, Dec 15, 2020 at 11:50:51AM -0500, Mike Leone via plug wrote:
> We got a SolarWinds notification last night, and this morning, one of my
> co-workers updated to the latest version. 2020-02.1 HF1

Given this:

        Security researcher Vinoth Kumar told Reuters that, last year,
        he alerted the company that anyone could access SolarWinds update
        server by using the password "solarwinds123".

and this:

        Others - including Kyle Hanslovan, the cofounder of Maryland-based
        cybersecurity company Huntress - noticed that, days after
        SolarWinds realized their software had been compromised, the
        malicious updates were still available for download.

both of which are quotes from this:

        Hackers used SolarWinds' dominance against it in sprawling spy campaign

my recommendation would not be that you update it.  My recommendation
would be that you deinstall it and wipe/reload/restore the system(s)
which were infected with it.

Why?  Three reasons.

First, because these are appalling mistakes.  If they were a tiny startup
or an underfunded nonprofit I could cut them some slack, but they're
a $6B company whose products are installed all of the place.  With great
power comes great responsibility.

Second, because the company that made these mistakes quite likely made
others, equally or more egregious, that we don't know about yet.  I say
that because I've seen this movie before, many times, and it always
ends the same way.

Third, because I wouldn't want to be the person that has to explain --
to management, to auditors, to regulatory agencies, to anybody --
why I kept running software from a company that has already stacked
quite a bit of proof on the table that it's not competent to secure
that software.  *Last* week, before we knew all this, there might
have been some valid excuses.  *This* week there are none.


I would tend to agree that smaller companies shouldn't be cut any slack either and I really agree with the idea that MS, Zoom, etc are given way too much slack.  For instance, I personally find it 100% unacceptable that any security company would base any sort of security infrastructure on Windows and yet, that is exactly the case why we have such an abysmal security situation generally.  This is a different situation of course but for me, I'm more interested in resilience than prevention.  The very first thing I tell people in any security conversation is that "something bad WILL happen, my job is to make sure you can still operate when it does.".  Smaller organization **should** always from to be more agile and able to adapt quicker but too many chase the large guys.   Resilience and operation durability is built through constant testing and red teaming.  The reality is that that is easier to do when you are smaller but it **has** to be done by all.  If you haven't broken your technology to understand your risks (and therefore how to mitigate them), you're doing it wrong and the bad people are going to teach you how.

Funny how their lessons are initially free.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --