It seems like everyday we are hearing more news come out about the SolarWinds hack. Even though the breach was first reported back in December, the fact that it was one of the largest attacks in the world, means it’s still able to maintain its relevance even today. While there was an influx of information that came in the three months that followed the attack, I wanted to hone in on one specific detail that came out last week. As an intern myself for the NextCISO program, I was discouraged to see that the SolarWinds CEO testified before Congress and blamed an intern for leaking the password “solarwinds123.” There are many things wrong with this on multiple levels.
In the program, one of the main topics we cover is the ISO 27001 standard and specifically, how to use this framework to audit companies. By SolarWinds shifting the blame to their intern, they are ignoring the many security policies that should have been in place. One main policy in particular is password management. The policy outlines that passwords must contain at least one special character, must not contain a dictionary word, and must contain at least one upper and lowercase letter. SolarWinds fails this policy in all the above ways. The only saving grace is that the password fits the policy minimum of 12 characters, but just barely. Also, the policy notes that passwords must be changed if there are indications that passwords might be compromised and must then be changed every three months. In this instance, the intern created the password in 2017 and it took SolarWinds until the end of 2019 to correct the issue. Meaning the password had been the same weak password for almost three years and no one bothered to check. This is not even mentioning why an intern had admin access to begin with, which is a huge breach of access controls. Regardless, despite these shortcomings, SolarWinds upper management chooses to blame an intern instead of looking at themselves in the mirror.
Interns are not perfect, I am guilty of that myself. We are there to learn and get ourselves in the door. While we may try our best, we will inevitably make mistakes. However, instead of throwing us under the bus in the case of SolarWinds, it may be better to teach and educate. If you are a small or medium sized company looking to train your employees to prevent a SolarWinds-like incident then consider Tiro Security. We’ve partnered with a class leader in online security awareness training to provide these resources to SMBS in a cost effective manner. We also perform risk assessments to make sure companies are following the proper policies to avoid an incident.