The recent intrusion of high profile government systems via the SolarWinds Orion vulnerability has gained quite a bit of media attention and is likely to dominate the cyber security news cycle for the foreseeable future. And while nearly all affected SolarWinds clients have been made aware and begun the mitigation process, there are some larger lessons to be learned from these events.

[Note: if you are or believe that you may have been directly affected by the breach, refer to the CISA Emergency Directive 21-01 for guidance or contact external cyber security professionals for assistance as needed.]

The actual damage of this breach has yet to be calculated, partly because the extensive number of organizations impacted and the ripple effects to other organizations. The ripple effect means that not only were the affected SolarWinds clients put at risk, but so were their vendors, clients, B2B partners, and other affiliated individuals and agencies within their overall ‘supply chain.’ The emergency directives and guidance provides information needed for quickly closing the vulnerability. On a broader basis, the event presents the opportunity to ask some important questions, such as:

• Were we or anyone in our supply chain affected? Can we say with certainty that we were not affected? Can we say with certainty that we have remediated all primary and downstream vulnerabilities or persistent issues which were or might have been present as a result of the breach? Can our vendors and suppliers provide us assurance about the impact to their organization?
• Have we considered implementing a supply chain risk management program? In recognition of the needs of commercial customers and business partners of manufacturers, producers, and distribution companies, the AICPA has developed a framework for reporting on the controls over a manufacturing, production, or distribution system. Organizations can use the reporting framework to communicate to stakeholders (SOC for Supply Chain report) or to help develop their program internally and relevant information about their supply chain risk-management efforts and the processes and controls they have in place to detect, prevent, and respond to supply chain risks.
• Are we subject to auditing or regulatory requirements that need to be addressed? Does the fact that the organization or supply chain was affected trigger a mandatory report? Should a disclosure be made even absent an absolute requirement to do so?
• Are we practicing defense-in-depth? The idea that a robust perimeter defense can secure networks in the modern threat landscape can no longer be held to be true. A compromise of a client or vendor can put your data and system at risk even with a strong perimeter. Routine monitoring of network and user activity against what is ‘normal’ is critical to stop in progress attacks and prevent further spread and damage.
• How is our cyber security documentation? For clients that are subject to external audits of data or networks, or cyber security systems, being affected by an incident like this (whether directly or indirectly) will require not only mitigation, but careful documentation of that mitigation to satisfy the standards and criteria of those external auditors.
• Do we need help from the outside? Getting an external examination of the system can go a long way toward proving that you were unaffected by a breach or that remediation has been completed. This can go a long way toward satisfying concerns of current or potential clients and business partners, even if not subject to formal auditing requirements.
• When was the last time we evaluated our overall cyber security plan? A cyber security posture is not something that can be set and then forgotten. An ongoing process of re-evaluation and updates should be occurring, both on the technical side via patching and change management but also on the management side via policy, training, and overall organizational posture.

The SolarWinds hack has highlighted the changing landscape of software providers in the supply chain, cyber security, and the vulnerabilities that can be present even if the breach occurs elsewhere in the organization’s supply chain. But the resulting changes can help us prevent or mitigate similar attacks in the future. With a little introspection and ongoing monitoring of the internal and external threat landscape, the organizational effects of the upheaval can be minimized, and clients and business partners can be properly assured that their data and communications are safe.

As always, if you need information or assistance with cyber security or auditing issues, please feel free to contact our RubinBrown Cyber Security team at any time.

 

^{Readers should not act upon information presented without individual professional consultation.}

^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}