As the impact of the recent SolarWinds cyberattack continues to emerge, the method of attack is becoming clearer: According to several reports, the attackers used malicious Trojan software updates for SolarWinds’ Orion IT monitoring solution, signed with valid digital signatures, to gain network access. This access enabled them to escalate their privileges. The access point could have been the result of human error, with password credentials granting access to a SolarWinds FTP site posted on GitHub. This would have given the hackers everything needed to upload a malicious .exe file into the SolarWinds ecosystem.
Likely the single biggest preventive measure in this specific attack would have been to secure the cryptographic key used to sign the code to deliver security throughout the signing process. This would have protected the integrity of the software – ensuring only code that was expected to be signed was signed – and kept the bad actors out. If the signing process was subverted, the priority would then become identifying the breach as quickly as possible to limit the damage.
Let’s look at some other security best practices to mitigate your risk of SolarWinds type of attack.
Adopt a “zero trust” approach – never trust, always verify that someone – or something – is who they say they are with high assurance, multi-factor authentication that uses intelligent authenticators like behavioral biometrics, mobile smart credentials, and soft tokens. In addition, apply Least Privilege Access principles so that any user, program or process only has the absolute minimum privileges to perform their specific function.
Take your workforce passwordless – while strong passwords with regular expiry dates are good, credential-based passwordless access is much better, effectively eliminating password hacks. A digital certificate provisioned on to a worker’s mobile phone transforms it into their trusted workplace identity delivering secure access to corporate resources when the device is unlocked with the person’s biometrics.
Employ adaptive risk-based authentication with policy engine – this is your early threat detection and prevention system. Contextual data like device reputation, user behavior, and velocity alerts suspicious activity that you can then address with step-up authentication challenges or the decision to block specific actions entirely.
Establish an enterprise certificate strategy – secure network connections, manage software/firmware, authenticate devices, secure email, encrypt and sign data, and protect user identities. With an enterprise PKI to issue and rotate credentials, and a credential identity management system, should an individual credential be compromised, the downtime and exposure is reduced.
Use hardware security modules (HSMs) for a strong root of trust – protect and manage cryptographic keys throughout their lifecycle. Cryptographic keys are needed to sign and validate device certificates for identification and authorization, encrypt/decrypt and hash data to ensure its confidentiality and integrity, and to sign code to protect its integrity. HSMs provide a secure environment to protect the keys both when in use and while at rest and offer strong authorization mechanisms to ensure no single individual or entity can subvert the policies established for the use of the keys. HSMs are hardened tamper-resistant devices certified to the highest assurance standards including FIPS 140-2 Level 3 and Common Criteria EAL 4+. Most security conscious organizations today deploy HSMs to protect their business-critical information and applications.
Apply strong policy controls with regular auditing – Organizations need to manage their cryptographic keys and credentials across their lifecycle, limiting their usage and rotating them on a regular basis. Auditing management practices, adhering to policies and enforcing dual control where possible will help to facilitate best practices. Furthermore, a regular audit or health check of your security environment – from the cryptography in use, to policies and procedures – can identify gaps or risks and help the early identification of breaches.
The above list is a just a subset of security best practices. Learn more about how you can mitigate the risk of a similar cyberattack with:
- Secure workforce identities
- The importance of code signing
- Establish a cryptographic center of excellence within your enterprise
For a comprehensive view of the Entrust digital security portfolio, visit https://www.entrust.com/digital-security.