The SolarWinds debacle has reminded us all of one crucial aspect of vital infrastructure: human error. Standards, procedures, and processes are in place to ensure the implementation of a secure baseline. These plans and mechanisms are developed so that organizations have clear instructions to follow for best security practices. The challenge with technology is it is developed by humans, and we are imperfect. Our mistakes are not only accidental but can also be a product of shortcuts taken where there is lack of oversight or threat of consequence.
A prime example of this was presented by Vinoth Kumar (@vinodsparrow), a security researcher, who discovered in November 2019 clear text FTP credentials on a public facing SolarWinds GitHub repository. When asked for comment by The Register Kumar stated, “their update server was accessible with the password ‘solarwinds123’ which is leaking in the public GitHub repo. They fixed the issue and replied to me on [November 22].” Kumar is referring to an occurrence from November 2019.
Configuration and access errors are to be expected from any organization. Security researchers like Kumar will continue to have a presence catching bugs and vulnerabilities. Advanced Persistent Threat groups and less organized hacking collectives with malicious intent are where the threat lies. What is unfortunate for SolarWinds is that they may not have improved their security posture after being given ample opportunity. As a vendor of critical software, they had a responsibility to uphold the integrity of their product.
Now, this chaos caused by one vendor supplying malware-laced update software is not unique. There are plenty of organizations who are dependent upon the same vendor. Hopefully, this is a wake-up call for companies in a similar position to SolarWinds who may have skimped on their security spending. It could even be that their security investment is adequate but is not directed or used in a useful manner. A weak password or vulnerable server is all it takes to compromise a company and all subsequent companies who rely upon their product.
There is not an end all be all solution to improving an organization’s security posture. It comes down to individuals, teams, and company culture. Each will have their ethos and directive, and it is important to align an individual’s minute decisions, such as password complexity, to a company’s culture and processes.