It is noteworthy that this mixed bag of employees and contractors allege that they “were not aware of an information security policy or a password policy, and they did not receive cybersecurity training.” The need for documentation cannot be overstated. This includes risks associated with reliance on commercial software applications and open-source software. Matt Georgy, CTO of Redacted, Inc., observes, “What makes Solar Winds’ exploitation particularly bothersome is the fact that it’s used to manage/monitor IT systems.” Core to a risk management program is the risk register wherein risks to business operations are tracked and managed, he continues. Sullivan notes as the case moves forward, “What other exhibits will be referenced to show negligence on behalf of SolarWinds? What can you imagine as a CISO that might be used against you to show that you are just a compliance ‘check the box’ place, or do you really care about security (reasonableness standard)?” Maintain a register to track and manage risks This requires business operations to ensure alignment between what the company is saying publicly and what it is doing internally.
Whether this was window dressing or reality is what the suit will determine, as the plaintiffs allege the marketing and public relations statements made by SolarWinds on its website, including video statements from the CISO, projected a mature cybersecurity culture within SolarWinds that did not exist.ĬISOs should ensure business or operations are the drivers of the policies and procedures being followed by their personnel with the CISOs team in information security supporting the business. To the company’s credit, they published a “security statement,” which described the seriousness of cybersecurity policies and procedures. Personnel need to follow policy and procedures While the civil lawsuit will continue its course, there are several important takeaways for CISOs. That said, former employees, described in the judge’s decision as “a sales engineer, a security specialist, a backup and disaster recovery specialist, a director of global recruiting, an HR contractor, a security account manager, and a marketing associate” all alleged the lack of such cybersecurity policies. Shortcuts are taken, and policies exist to diminish the likelihood of incidents such as this.
Indeed, the one-off violation associated with the “update server” is not unique to any one company. “An egregious refusal to investigate may give rise to an inference of recklessness.” Instead, their purpose is to demonstrate that the executives were at least reckless in not realizing that something was dangerously amiss. The judge decided “the allegations of underlying security issues (such as the ‘solarwinds123’ password breach)” need not suggest that these security issues directly caused the loss. However, Sullivan opines, the “password issue on the update server is … just an entry point.”
SolarWinds is adamant that the infamous password “solarwinds123” that a security researcher found in November 2019 on an “update server” was changed within the hour of being notified and isn’t related to the Russian breach of SolarWinds. The judge’s decision served to highlight what every CISO dreads, the cutting of corners by personnel in the basic implementation of cybersecurity 101. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?” Key question: Did SolarWinds cut corners on security? It’s what will be shown during the discovery process that is interesting. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds its vice president of security and CISO, Tim Brown as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.Īs Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs “may have a claim, so the judge is going to hear it.” She explains, “It’s not what is being said in the order that is interesting. These two events, were, predictably, followed by a bevy of civil lawsuits. The event also had a deleterious effect on the SolarWinds stock price.
The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort.
0 kommentar(er)
