In mid-December, news broke about a massive cyber breach that occurred through SolarWinds software. There is a chance (I hope not) that many in the AV community briefly looked at this, decided it was an IT issue and moved on. If you did, I think that was a mistake — and want to tell you why.
First, let’s start with a brief description of what happened. Bad actors (many believe foreign agents) inserted code into software updates that SolarWinds distributes to its many thousands of customers. This malicious code was then distributed to the thousands of customers as they downloaded said updates. Downloading these updates is not only standard practice, it is expected to be done for — ahem — security purposes. Once the customers installed these updates, the hackers could very quietly obtain and use credentials to perform a variety of actions. Yes, that is a very brief description of a very complicated attack. You can check out Paul Konikowski’s article for a more in-depth analysis of the attack itself:
Now, why should AV people pay attention to such an incursion? Isn’t this just an IT problem? The answer is both simple and complex. The simple answer is, if any of your equipment is connected to the network, congratulations, you are IT. The complex answer is a little more interesting.
First, this attack came from what everyone in IT considered a trusted source. Thousands of companies use this software, and as mentioned previously don’t give a second thought to applying updates that the company puts out. What no one considered is that the threat actor would have attacked the source of those updates, and that this trusted company would actually be the source of the attack. So, take a moment and think about the equipment that you have installed in customer locations and placed on their network. How often have you (and the customer) assumed that it was fine? My guess is 100% of the time. After all, the equipment came from a trusted source. Up until this day, that has been fine and appropriate behavior. Yes, there have been some vulnerabilities in AV equipment, which may have left you open to outside interference, but there has never been (that we know of) an attack on the source.
You still may be thinking, “sure, but still, this is all IT. This does not affect me.” You would be wrong. While you and your equipment may not have direct access to data, hackers are developing new ways of thinking. Ransomware, for example, is not your classic “attack”. Rather, it is designed to raise money for the hackers. So you need to imagine that these threat actors are already thinking about ways to raise money. They are aware that all of our environmental controls in buildings are run online, so you have to believe they know that our AV systems are online. Despite the size of your company, you are a target. In order to make money, ransomware attacks cast a very wide net, hoping a few make a mistake.
With this discovery comes new knowledge. That is, we can’t ever claim again that an attack like this was new or surprising. Everyone in the AV industry now has a responsibility to be on the lookout for such an attack. Manufacturers now have a responsibility to secure their source code internally to be sure that the developers of these attacks are not getting in at the manufacturer level. This may mean adding to the roles and expectations of their security teams. They have to start thinking that their IP may not be the only target of an attack, but also that their customers would be targeted through them. Security and privacy are often part of a CISO’s role, but are different things. Many companies (SolarWinds did until mid December) post on their website who their customers are. We have all seen this before, “we serve College XYZ, and the U.S. Department of Defense”, etc. While that may be good for marketing, it has always been a privacy issue. Now, it is actually a security issue. By posting that on your website, you are making the threat actors job that much easier.
Integrators now have new responsibilities as well. I sure hope that integrators/programmers and installers have always followed rules about passwords, like changing the default, not using the same one across different customers, safely storing them in a password safe, etc. Now they have the additional responsibilities considering the equipment they are selling, and what those companies have put in place for security, what updates should go on the devices and how to educate the customer. Integrators need to get even more into the IT world to make sure they understand these threats and protect their customers. In my opinion that means companies should either hire or outsource security specialists. For larger firms, perhaps an entire segment of your company should be security, and offer “AV” security consulting for the firms that can not afford to have it in house.
The end user has new responsibilities. Some of these you may outsource and others you may be able to do in house depending on your budgets and staffing. You have a responsibility to check up on your integrators. Do they have people who are very comfortable speaking to you about security? Do they have written policies on how they handle security and security breaches? You need to work with your internal security team to watch for odd behavior, and to secure your devices. For example, are your AV devices on their own VLAN? Are they only allowed to communicate on that VLAN? Do you have systems in place to watch to be sure there is not suspicious activity for those devices to be attempting communication across VLANs? Or to the outside of your network?
This is not the first time I have written about security, and other rAVe bloggers have covered it as well. However, I think that this particular breach is different enough that it requires an evaluation of your security stance. The threat actors have shown they are nimble and creative; we must be as well.