IBRS develops action plan following SolarWinds hack

Following the news that FireEye had been breached via an exploited SolarWinds product, Australian CIO Advisory specialist IBRS developed a five-point immediate response plan for technology executives to explore, to protect their organisations. News of the cyber attack came to light on 14 December, when US cybersecurity company FireEye announced it had been compromised through weaponised updates of SolarWinds’ Orion network monitoring software. FireEye’s blog post included timelines, technical recommendations and indicators of compromise.

IBRS has encouraged technology executives to pay immediate attention to five security considerations. Senior ICT executives should immediately review if and where SolarWinds is used within their organisation, and if the version installed is at risk. SolarWinds has also recommended that infected systems by taken offline.

Good asset management will be useful in this verification process. IBRS notes that it has seen examples of unmaintained and, in some cases, undocumented SolarWinds installations. CIOs should be able to inform the board if the organisation has SolarWinds, where it is installed, and if the versions installed are vulnerable.

Dr Philip Nesci, IBRS advisor and cyber risk lead, addressed the potential repercussions of the security breach, and the considerations Australian technology leaders should be making in the short term.

“The ability to quickly identify and report back to the board on any IT solution, not just SolarWinds, at short notice is now a critical need,” Dr Nesci said.

IBRS also recommends that all applications facing the internet must consistently receive critical patches. CIOs need to be able to assure the board that their patching process is effective and being executed rigorously.

“This year, Citrix, virtual private networks, staff home routers and now device management tools have all been compromised. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained,” Dr Nesci said.

Technology executives are encouraged to test their cyber incident response plan and prepare to defend against organised crime, in case their organisation is compromised. It has been noted that once a vulnerability is disclosed, threat actors can develop and exploit within 48 hours.

“Now that the attacker has been ejected from FireEye (and hopefully from SolarWinds) it is likely only a matter of time before organised crime exploit unpatched SolarWinds instances to target government and commercial operations,” Dr Nesci said.

IBRS has also urged technology executives to examine their supply chain, and CIOs to consider which other software has pervasive access like SolarWinds. The critical point about FireEye being breached is that it points to what the cyber industry has been saying for years — “it’s not if, it’s when”.

“What protocols are your service providers following when they use tools like SolarWinds in your environment? CIOs should be able to report critical supply chain risks to the board and propose appropriate risk mitigation measures,” Dr Nesci said.

CIOs are also urged to check their cyber insurance, and get a position from their insurers on whether they will be able to make a claim against their policies if their organisation is compromised.

Image credit: ©stock.adobe.com/au/momius