23 Apr 2021

Securing Supply Chains – what can be learnt from SolarWinds?

Mark Wixey, Cyber Security Lead at Fujitsu argues that securing the supply chain is an objective moving up the list of CISO priorities.

Securing the supply chain is an objective that is moving higher and higher up the list of CISO priorities. Sadly, there are plenty of bad news stories out there which highlight why this is so. But perhaps it’s the recent SolarWinds incident, and the headlines it has generated, that has escalated the conversation to another level.  

SolarWinds is a well-known, well respected, reputable supplier to many organisations around the world. Of those organisations though, I wonder how many of them had a full list of suppliers, ranked according to the perceived level of risk to their ‘supply chain’? And of those, how many had SolarWinds anywhere near the top?  

I suspect the answer is very, very few. I would also suspect that even those who did have SolarWinds on a supplier register of some sort, were still impacted, such was the scale of the attack.  

So, have - or perhaps should - these recent events drive a change? As these threats are constantly evolving, what can organisations realistically do differently to better protect themselves from a similar supply chain oriented attack? 

According to some reports, an enabling factor in how SolarWinds was breached was the use of a weak password on their internal systems, allegedly ‘solarwinds123’. If this is the case, then it’s nothing to do with technology at all, but rather down to a human being and their behaviour. This calls into question the level to which organisations can actually exert any level of influence or control over their supply chains.  

As a SolarWinds customer, you may have been assured that their internal regulations and user guides contained adequate guidance and rules on the selection and use of passwords. In which case what more could you have reasonably done? 

So, could this incident actually trigger a change in how we consider supply chain security?  

Sure, there are reasonable checks and audits organisations can undertake on their suppliers. But do we actually all need to be looking a bit closer to home? There is no possible way any organisation – regardless of size - can control the particular password a user at one of their supply chain organisations chooses to use.  

So, do we all need to focus more on our own systems, to better protect ourselves and as a consequence, our customers? Let’s consider four specific aspects where improvements can be sought: 

 

  • Weak passwords – if we allow users to choose their own passwords the likes of ‘Password1’ will be everywhere. But if we enforce too much rigour in the password’s complexity, users will simply write them down, rather defeating the object. Solutions exist today that enable organisations to operate without passwords. Combinations of hardware certificates, user biometrics, multi-factor authentication and pin numbers are all becoming widely available. If we must use passwords, management and vault solutions exist to take the burden of password selection and management out of the hands of the human.   

  • User behaviour – it is unrealistic to assume that every employee will always follow the rules and only use appropriate passwords. But is the willingness to ignore one rule perhaps an indication of a wider relaxed attitude to security? Behavioural analytics solutions have the ability to learn, monitor and compare individual’s actions with those of their peers, potentially highlighting poor or unusual practices, while enabling early intervention.  

  • Zero trust – the traditional approach of assuming everything within our own boundary, behind the wall or the moat is trusted, is clearly now flawed. If - or more likely when - malicious attackers infiltrate an organisation’s network, they are relatively free to move around. A zero trust approach questions every connection request, regardless from where it originates. 

  • Enhanced monitoring – you don’t have to search far to find plenty of articles that describe how the malware deployed by the SolarWinds incident worked. The question I ask though is “how many organisations have verified or enhanced the monitoring scripts or templates deployed by their SIEM solutions as a result?” There needs to be a process of continual improvement in what is monitored and reported across our enterprises. Lessons should be learnt after every reported breach or attack.  

The SolarWinds incident has taught us that supply chain risk is very real. The bad guys are constantly developing new ways of working, and many organisations are way behind in updating their defences in response. There are several steps organisations can take and there is published guidance to help, such as NCSC’s 12 principles of supply chain security.   

But I suggest that major organisations also need to look harder at themselves, move beyond the “it will never happen to us” mindset, to one of “how do I detect and protect?” and a continually improving cyber defence posture that evolves as the threats do.

About the Author

With over 30 years’ experience, Mark Wixey is a focussed and committed IT practitioner.  Much of his career has been spent designing, providing, operating and supporting high security IT systems and services across the UK Public Sector as well as both UK and international commercial businesses.  

Since joining Fujitsu’s Defence & National Security business unit, Mark has assumed responsibility for the department’s cyber services strategy and portfolio. He is also responsible for managing strategic technical security relationships with partners and UK government. In this capacity he is utilizing his accumulated technical knowledge across multiple products, services and solutions combined with experience of the numerous available procurement routes.  

In June 2019, Mark was awarded the status of Fujitsu Distinguished Engineer, a global network of role model technologists: https://www.fujitsu.com/uk/innovation/fujitsu-distinguished-engineers/. He currently serves as an elected member of techUK’s Cyber Security Management Committee.