| Rich Kulawiec via plug on 19 Dec 2020 10:07:56 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] OT: SolarWinds |
On Thu, Dec 17, 2020 at 11:40:10AM -0500, Rich Freeman wrote: > > However, based on what we do know as of this moment: anybody still running > > SolarWinds should rip it out by the roots right now and activate their > > procedures for archiving/scrubbing/rebuilding compromised systems. > > While I get your argument, keep in mind the likely consequence of > everybody doing this would be that in the future vendors will cover up > any security issues and not inform their customers of compromises like > this. I have thoughts about this. ;) First, vendors are *already doing that*. Why shouldn't they? The playbook is always to delay notification, to pretend they didn't know, to minimize the scope and impact, to claim they take security seriously, etc. That's not going to change until there are real consequences. Why should it? Second, every day since this breach has been publicly disclosed, it's gotten worse. Let me go out on a limb here and predict that tomorrow it will get worse again, and the next day, and the next day. Based on what we already know, I stand by my statement above. Anything touched by SolarWinds should be presumed compromised and hostile, and should be burned down. Third, that's exactly what's happening, right now, as I'm typing this, in some operations I have visibility into. It has to, because it would clearly be unprofessional and irresponsible to allow known-compromised systems to just keep running. This is true in any environment but especially so for those which handle personal data, anything covered by HIPAA, by PCI DSS, etc. That isn't specific to this incident: once a system is compromised, it's game over. It *cannot* be repaired. It *must* be rebuilt. This is a pain in the ass and unpleasant and disruptive and expensive but it's the only way. > Ultimately what matters is what a vendor does in the future, not what > they've done in the past. Let's run with that, for a moment. Look at what Orion has done *since* this has come out. - They failed to pull infected updates from their servers immediately - Forget pulling the updates, they should have instantly shut down their update servers so that anyone who hadn't already downloaded an infected update couldn't do so - They didn't advise all customers to shut down and remove all instances of their product, consider those systems as compromised, etc. - They scrubbed their web site of their customer list -- you know, the one that they were bragging about just days ago - They've been trying to minimize the scope of the problem by saying that "only" 18K systems were affected, even though we all know that every system/network those 18K could reach was also affected This isn't a company focused on solving the problem. This is a company focused on covering its ass and preserving its market valuation. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug