EXECUTIVE SUMMARY:
At the RSA Conference that took place earlier this year, SolarWinds CEO Sudhakar Ramakrishna and a team of other experts discussed lessons learned from the infamous hack.
Said Ramakrishna, the SolarWinds hackers may have compromised systems as long as 10 months prior to the previously assumed date. Researchers found that the attack may have gotten underway in January of 2019.
Technology experts continue to code and recode programs and remain in clean-up mode six months after the attack became public. According to Ramakrishna, some affected customers do not retain the technical capabilities or the staffing to easily accommodate fixes. As a result, SolarWinds continues to work with clients in resolving issues.
“A lot of our software runs on premises as well, so it’s not instantaneous that everybody updates at the same point in time,” he stated.
Avoiding the status quo
Many companies cut corners when it comes to security. The thought is that doing so will save time and save on costs. But experts liken this to continuing to manufacture cars without safety checks.
“We’d never buy a car that was rushed to market, knowing it could have potentially fatal defects that the manufacturer may or may not choose to issue a recall [for] and fix,” says Anne Neuberger, the National Security Council’s deputy national security adviser for cyber and emerging tech.
Engineering outsourcing
In order to maximize profits and to make up for staffing shortages, organizations may opt to outsource technical engineering. In some cases, these engineers may not know or care about building security into a product’s lifecycle.
Understanding where security is or isn’t baked into products is critical. Organizations must recognize the need to oversee outsourced projects.
Higher standards
In the US, President Biden recently signed an executive order designed to hold software vendors to higher security standards. He also spoke of Internet of Things (IoT) product improvements, including labeling that clearly shows security compliance.
Mandates for companies to only provide the federal government with software built in an entirely secure environment are underway. While this may seem like a no-brainer, Neuberger notes that such practices are still “not universal”.
For more on this story, visit GovTech.com.
