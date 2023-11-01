VentureBeat Presents: AI Unleashed – An Exclusive Executive Program for Enterprise Data Leaders. Network and learn from industry peers, learn more

The cybersecurity industry is reeling after the shocking news that the SEC has charged SolarWinds and its former CISO with fraud surrounding the infamous Sunburst attack.

The 68-page-long complaint, filed Oct. 30, alleges that from at least October 2018 through Jan. 12, 2021, SolarWinds and its then-security chief Timothy G. Brown misled investors and customers through “misrepresentations, omissions and schemes.” Betrayed by the medium who hid both.” The company’s poor cybersecurity practices and its growing – and growing – cybersecurity risks.”

Sunburst – with which the SolarWinds name is now synonymous – was one of the most significant cyberattacks in history as it infiltrated the software supply chain and wreaked havoc on enterprises of all sizes around the world. The US government was also affected, implementing strict guidelines and requirements to protect the federal software supply chain.

The full impact of the attack is still unknown and is likely to continue for the foreseeable future.

The fraud allegations come as the SEC has increased cybersecurity accountability — particularly its new four-day disclosure requirement for public companies — and could have dramatic implications far beyond the cybersecurity realm.

“These allegations serve as a reminder to CISOs about the importance of ethical behavior and professional conduct,” said George Gerchow, faculty member at cybersecurity research and consulting firm IANS Research. “It is important for CISOs to maintain a high level of integrity, adhere to ethical standards, and prioritize the security and privacy of their organization’s data.”

Internal document says company ‘not very safe’

Oklahoma-based SolarWinds provides network and infrastructure systems management tools to hundreds of thousands of organizations globally.

Potentially in early 2018, hackers gained access to the company’s network and deployed malicious code into its Orion IT monitoring system. Orion is considered a “crown jewel” asset, accounting for 45% of the company’s revenue in 2020, according to the SEC.

The agency says that during the ensuing two-year attack, SolarWinds and Brown made “materially false and misleading statements and omissions” about cybersecurity risks and practices in several public disclosures, including a “security statement” on its website. And also includes reports filed with the SEC. ,

For example, in October 2018 – the same month SolarWinds held its initial public offering (IPO) – Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable position to our critical assets “

Other presentations during that period described SolarWinds’ remote access setup as “not very secure” and stated that an exploiter “can basically do anything without us detecting it until it’s too late”, leading to ” There could be huge reputational and financial loss.

Additionally, an internal document from September 2020 shared with Brown and others stated that “the volume of security issues identified has increased over the past month.” [sic] “It exceeded the ability of engineering teams to resolve.”

“SolarWinds’ public statements about cybersecurity practices and risks paint a completely different picture from internal discussions and assessments,” the complaint alleges.

The SEC also reports that the company made incomplete disclosures about the attack in its December 14, 2020 Form 8-K filing, causing its share price to fall nearly 25% over the next two days and 35% by the end of the month.

In the years since, the company has struggled to rebuild its reputation, with leaders recently working on a rebrand and toying with the idea of ​​returning to a private model.

In a blog post, CEO Sudhakar Ramakrishna said SolarWinds “strongly opposes” the SEC action.

“The way we responded to Sunburst is exactly what the U.S. government wants to encourage,” he said.

Therefore, it is “alarming” that the SEC has filed what the company believes is a “misguided and unfair enforcement action” that “undermines the progress the industry is making and the progress the government is encouraging.” represents a regressive set of ideas and actions inconsistent with

Sunburst only highlights broader security issues

Experts emphasize that the SEC is not targeting SolarWinds because of Sunburst: The complaint notes that misstatements about security would have violated securities laws even if SolarWinds had not been hacked.

“They were targeted simply to highlight the issues,” Williams said.

Michael Isbitsky, director of cybersecurity strategy at Sysdig, pointed to several security shortcomings: remote access to unmanaged devices, threat modeling missteps, inadequate web application testing, improper password management policies, and weak access controls.

While SolarWinds has confirmed adherence to common security best practices – such as the NIST Cybersecurity Framework, NIST Security and Privacy Controls for Information Systems and Organizations, and the Secure Development Lifecycle (SDL) – evidence shows that all applications They had significant differences in meeting all the criteria. And systems, Isbitsky said. This created material issues that were not properly disclosed and investors were misled.

“A key takeaway here is to pick a standard and make sure you’re following it universally,” he said.

Lasting Effects of Sunburst

That doesn’t mean Sunburst hasn’t dramatically changed the cybersecurity industry.

“The Sunburst attack has changed our industry in many ways,” Gerchow said.

In particular, it has drawn attention to the importance of supply chain security. “Organizations are now more aware of the potential risks associated with third-party software and are taking steps to enhance their security practices,” he said.

The attack also highlighted the need for continuous monitoring and threat detection, prompting organizations to invest in advanced tools and technologies. Finally, and perhaps most notably, it has attracted the attention of regulators.

“This may result in organizations having stricter requirements to ensure the security of their supply chains,” Gerchow said.

The SEC is setting a new standard

Experts say the case underscores the seriousness of integrity and maturity of cybersecurity programs across the state, especially for publicly traded companies.

Isbitsky said relevant expertise, cybersecurity processes and history of security incidents must be disclosed under SEC cybersecurity disclosure rules. These have existed in various forms for over a decade, with the latest version coming into full force in December 2023.

Furthermore, being open and honest is a good business practice. “Transparency is critical in maintaining the trust of customers, partners and stakeholders,” Gerchow said.

When a breach occurs, it is important to notify those who may be affected so they can take the necessary precautions and protect themselves, he stressed. By speaking openly about a breach, companies show their commitment to the security of their customers and demonstrate accountability.

Gerchow’s colleague Jake Williams, a former US National Security Agency (NSA) hacker and IANC research faculty member, commented that “the SEC is setting a new standard for security disclosures with this lawsuit.”

He cautioned: “Don’t be surprised to see that standard used in litigation if you make false, incomplete or misleading statements about security to customers or business partners.”

Additionally, Wells notices — intentions to charge — are typically issued to CEOs and CFOs, said Sivan Tehila, CEO of cybersecurity platform Onyxia. But in this case, CISO Brown is clearly involved.

“This could mean new liabilities for cybersecurity officials moving forward,” Tehila said.

The SolarWinds issue is being monitored as it comes to light

Cyber ​​security experts recommend that CISOs should keep a close eye on the matter.

For starters, it serves as a reminder of the potential legal and regulatory consequences that could arise from cybersecurity incidents, Gerchow said. Understanding these allegations and the ultimate outcome of the case can help security leaders assess the potential risks faced in similar situations and take proactive preventive measures.

“CISOs should analyze the specific allegations made by the SEC and evaluate whether their own organization has similar vulnerabilities or deficiencies,” Gerchow said. “This can help them identify areas for improvement and strengthen their cybersecurity posture.”

He recommended that CISOs study SolarWinds’ incident response actions to assess their effectiveness. Examining it as a use case can help them enhance their own incident response plans, including communication strategies, prevention measures, and recovery procedures. Equally important, safety leaders must reinforce ethical behavior within their organizations.

Isbitsky agreed, saying that the companies and their leadership should follow the lawsuit, “because this is one of the first battle tests of the ultimate cybersecurity regulations.”

Source: venturebeat.com