Three Cybersecurity Lessons From The SolarWinds Hack

Head of Information Security at Directly, leading and managing a cross-functional annually audited InfoSec program, and IW CDR in the USNR.

Last week we learned about the hack of a network monitoring software, SolarWinds Orion, that has the potential to be the most pervasive hack in U.S. history, affecting leading security firms, as well as government agencies and Fortune 500 companies. By hacking a leading monitoring software amid an unprecedented pandemic, which rightfully required our attention, Russia, the alleged nation-state behind the hack, potentially gained undetected access to an enormous amount of confidential data from more than 18,000 leading organizations from March to December 2020. While we will still be assessing the full impact of the hack’s effect in the days and months to come, this article will reflect on three important points from the hack.

All Computer Systems Are Vulnerable

First and foremost, the hack starkly reminds us that all computer systems are vulnerable to hacking. Anything that is connected to the internet can (and, in many cases, will) be hacked. The only way to be 100% hack-proof is not to use a computer system: Put it in a box, pour concrete over it and bury or throw it in a body of water. Information security assesses, manages and significantly reduces but does not eliminate risk to our computer systems and networks. It would be wise to assume that our systems and networks have already been hacked. Like scientists, we need to find evidence of that hypothesis and initiate the incident management plan to remediate and recover as quickly as possible. We need to build resilient systems that are expected to get hacked but quickly recover.

For computer crimes to be successful, three simple things have to be true about the criminal:

1. They must have the desire to obtain possession of the “victim.”

2. They must have the skills, knowledge and ability to commit the crime.

3. They must have the opportunity to commit it.

With enough time and resources, criminals and nation-states who have a high desire to access confidential data, will improve the ability and find the opportunity to exploit vulnerabilities to get…