• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

SolarWinds Lenient Security Practices Are Not Unique to Any One Organization

December 18, 2020 By Josh Stuifbergen

The SolarWinds debacle has reminded us all of one crucial aspect of vital infrastructure: human error. Standards, procedures, and processes are in place to ensure the implementation of a secure baseline. These plans and mechanisms are developed so that organizations have clear instructions to follow for best security practices. The challenge with technology is it is developed by humans, and we are imperfect.  Our mistakes are not only accidental but can also be a product of shortcuts taken where there is lack of oversight or threat of consequence. 

A prime example of this was presented by Vinoth Kumar (@vinodsparrow), a security researcher, who discovered in November 2019 clear text FTP credentials on a public facing SolarWinds GitHub repository. When asked for comment by The Register Kumar stated, “their update server was accessible with the password ‘solarwinds123’ which is leaking in the public GitHub repo. They fixed the issue and replied to me on [November 22].” Kumar is referring to an occurrence from November 2019. 

Configuration and access errors are to be expected from any organization. Security researchers like Kumar will continue to have a presence catching bugs and vulnerabilities. Advanced Persistent Threat groups and less organized hacking collectives with malicious intent are where the threat lies. What is unfortunate for SolarWinds is that they may not have improved their security posture after being given ample opportunity. As a vendor of critical software, they had a responsibility to uphold the integrity of their product.  

Now, this chaos caused by one vendor supplying malware-laced update software is not unique. There are plenty of organizations who are dependent upon the same vendor. Hopefully, this is a wake-up call for companies in a similar position to SolarWinds who may have skimped on their security spending. It could even be that their security investment is adequate but is not directed or used in a useful manner. A weak password or vulnerable server is all it takes to compromise a company and all subsequent companies who rely upon their product.  

There is not an end all be all solution to improving an organization’s security posture. It comes down to individuals, teams, and company culture. Each will have their ethos and directive, and it is important to align an individual’s minute decisions, such as password complexity, to a company’s culture and processes.  

Share This:

Related

Filed Under: Editorial Articles Tagged With: SolarWinds

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use