Tag Archive for: SolarWinds

SolarWinds hack got emails of top DHS officials » Albuquerque Journal

/in


Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press has learned.

The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what’s known as the SolarWinds intrusion and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can’t protect itself.

The short answer for many security experts and federal officials is that it can’t — at least not without some significant changes.

“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” said Sen. Rob Portman of Ohio, top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. “We are talking about DHS’s crown jewels.”

……………………………………………………….

The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. But an inquiry by the AP found new details about the breach at DHS and other agencies, including the Energy Department, where hackers accessed top officials’ private schedules.

The AP interviewed more than a dozen current and former U.S. government officials, who spoke on the condition of anonymity because of the confidential nature of the ongoing investigation into the hack.

The vulnerabilities at Homeland Security in particular intensify the worries following the SolarWinds attack and an even more widespread hack affecting Microsoft Exchange’s email program, especially because in both cases the hackers were detected not by the government but by a private company.

In December, officials discovered what they describe as a sprawling, monthslong…

Source…

SolarWinds CEO gives chief security officer authority and air cover to make software security a priority

/in


New leader is also making changes to the software development process to make it harder for attackers to find vulnerabilities.

istock-1128503636.jpg

Image: iStock/Andreus

SolarWinds CEO Sudhakar Ramakrishna is making changes at the board level and in daily operations to change the company’s security mindset. The company launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing instead of an after-the-fact priority. 

During a panel discussion about cybersecurity, Ramakrishna said he used his experience as an engineer and a manager to shape the company’s response to the attack. He created a cybersecurity committee for the board that includes him and two sitting board members. He also said that he has given the company’s chief security officer the power to stop any software release if necessary to address security concerns.

“We’re providing independence, confidence and air cover to build a level of comfort and create a seat at the table,” he said. 

He said companies have to raise the profile of security officers to the board level to illustrate the importance of the role to the entire company. 

“Otherwise it just becomes a cost line item in the P&L,” he said.

Ramakrishna described his plan for changing the company’s security culture during a “Big Breaches” panel discussion with the authors of a new book and several industry security experts.

In a discussion about how to reduce the frequency of these attacks, Jimmy Sanders, head of security for Netflix and ISSA International Board of Directors, said that the industry needs to adopt a different approach to security, one that requires bad actors to succeed with an attack multiple times to gain access instead of just once.  

SEE: Identity theft protection policy (TechRepublic Premium)

Ramakrishna said his company is experimenting with an approach like this. The…

Source…

The Cybersecurity 202: Senate panel delves into SolarWinds hack

/in


Lawmakers want to know just what is being done within the federal government to prevent the likelihood of another such attack.

Three witnesses — the acting director of the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA); the acting assistant director of the FBI’s Cyber Division’ and the chief information security officer from the Office of Management and Budget, will field questions from the panel. 

Those questions are likely to focus on specific changes the government is implementing to better guarantee the security of contractors, as well as the progress of internal audits in cases where agencies were compromised; and which entities are responsible for coordinating a government-wide response.

The Biden administration has promised a more aggressive stance against foreign hackers, especially those backed by Russian government entities. Last month, the administration signaled it was planning to sanction Moscow for the SolarWinds hack, alongside the poisoning of Russian opposition leader Alexei Navalny, which the United States has also blamed on the Kremlin. While the administration has announced sanctions against Russia for Navalny’s poisoning, sanctions for the SolarWinds attack have yet to materialize.

Since the revelation of the SolarWinds hack late last year, tech giant Microsoft has admitted that its email systems — which are also used by U.S. government agencies — were subject to their own hacking, likely by China. The disclosure of that hack has raised new questions about how the Biden administration will implement a policy of cyber deterrence against a range of adversaries and threats — many of them state-sponsored — with varying motivations.

For example, earlier this week, two of the agencies whose representatives will face senators on Thursday released a declassified report showing while Russia and Iran were among the countries trying to influence the outcome of the 2020 election, China was not. 

The report — which determined that Vladimir Putin directed the Kremlin to carry out influence operations against President Biden and Democrats during the 2020 election — also repudiated many of the conspiracy theories former…

Source…

Security labeling could raise the cyber bar, but won’t stop next SolarWinds

/in


Plans from the Biden administration to release product security rating system could raise the bar for security overall, say experts, but won’t likely prevent the next SolarWinds or Microsoft hacks.

In a briefing to reporters Friday, senior official compared the forthcoming rating system to the health and safety letter grades at restaurants. And it is a concept that the cybersecurity community has batted around for some time: place a label on the box that says a product is or is not secure, and let consumers create a market around security.

But experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks and could create a false sense of complacency.

“Labeling won’t solve nation-state problems, no matter how good the label is, even if it’s perfectly enforced and sets a really high bar,” said Beau Woods, cyber safety innovation fellow at the Atlantic Council and a volunteer with the internet-of-things security advocacy group I Am The Cavalry. 

Several governments, both individual nations and the European Union, have pursued cybersecurity standards in recent years, particularly around IoT devices. At the briefing, the administration specifically mentioned Singapore’s labeling law. Labels create a voluntary basic cybersecurity standard.  

The problem is that basic standards do a good job addressing the vast majority of hackers, but they do not address hackers with extraordinary capabilities. No standards can create perfectly secure products, because they simply don’t exist. 

Brad Rees, chief technology officer of the ioXt Alliance, an industry group developing labeling standards for IoT, noted that the issues behind the SolarWinds hack likely would not have shown up on a product rating.  

“It’s unfortunate that the White House chose to throw out or tease an IoT labeling scheme in the middle of talking about a Chinese-state hacker with Microsoft Exchange,” he said. “Labeling schemes are here to prevent baseline security issues. They’re not…

Source…