The Solarwinds breach — What do CIOs need to do now?

Mitch Parker, Chief Information Security Officer of Indiana University Health -

Solarwinds, a major supplier of network security and management software to governments, private industry, and industry titans like FireEye and Microsoft, was found to have been compromised.

Network management software that controls, manages, and monitors the cores of multiple critical networks has been breached. The effects of this cannot be understated. This strikes at the core of networks and enabled sophisticated attacks. This includes the FireEye attack from last week. It bypassed some of the best security we had. It did so through compromised software updates. While there are any number of pundits and explanations available in the media, we want to get information to CIOs they can use to immediately protect the patients that visit our facilities, and the networks that facilitate their care. This attack puts us all at increased risk.

Contracting

When we contract for software, hardware, and services with third parties, we need to ensure that they have a commitment to securing their own environments. One of the factors that Reuters had identified that access to Solarwinds' computers was for sale on underground forums. Contracts with third-party vendors need to include language on securing the environment, using third-party static code analysis, and regular security scanning of local and cloud-based environments. They also need to require the use of the latest encryption and authentication technologies. Many application vendors in healthcare require less secure authentication methods to be enabled. This means that when a malicious third party gets access to the network, they can very easily acquire all the credentials, not just a small subnet, due to these weaknesses. According to Microsoft, encryption using weak ciphers lessens security. Having these items in contracts gives organizations leverage to better enforce security terms and conditions, and do a better job of protecting patients.

Dark Web Monitoring/Threat Intelligence

The Reuters article above mentioned that access to SolarWinds computers was for sale on underground hacking forums. Many people share the same passwords across multiple work and home accounts. This makes password spraying, the technique by which people try numerous breached passwords plus other commonly used passwords, highly effective. The Dark Web monitoring that companies offer is targeted toward individual users. There are multiple great companies out there that can provide excellent dark web monitoring for you and notify you if assets or team member accounts are for sale or available on underground forums. This will help address issues before they become persistent problems.

Two-factor Authentication/Login Location Checking

Two items you can undertake to protect your networks are to require app-based two-factor authentication and checking to see where people log in from. App-based two-factor authentication, such as Cisco Duo, Imprivata, or Microsoft Authenticator, requires a second factor besides a password to access resources from outside the network. Checking to see where users are logging in from, and immediately flagging resources trying to log in from outside your home country or area can also help address the use of breached credentials. According to Microsoft when they presented at the 2020 RSA Conference, more than 99.9 percent of Microsoft enterprise accounts that get invaded by attackers didn't use multi-factor authentication. Only 11 percent of the accounts overall had it enabled. This move will further reduce risk.

Locking Down Internal Networks

As we discussed before, there are many application vendors that rely upon less secure methods to authenticate. This also extends to permissions. The reason why the Solarwinds attack is so dangerous is because of the high access level of network access their Orion software had. Inventory your software and critical applications used. Work with your vendors to determine the minimum access needed and configure applications to only use that. Don't give accounts administrative permissions because it's easy. It's harder to clean up from a data breach. Filter and disallow Internet access from devices that don't need it, especially Internet of Things or medical devices running older operating systems.

If you have a vulnerable version of Orion, according to CISA, you need to disable legacy encryption methods in your Active Directory environment, reset any credentials used by the Orion software, rebuild any hosts or devices monitored by it using trusted software, reset the passwords used by service accounts to use at least 25 characters, and start using Group Managed Service Accounts instead of user accounts. You also need to reset the Ticket Granting Ticket password, better known as the keys to the kingdom. If that password is compromised, then you are no longer in control of your own network.

If you don't have a vulnerable version, you need to disable legacy encryption methods and start using Group Managed Service Accounts whenever possible. If you have service accounts using simple passwords, reset those too. There are some vendors in the healthcare space who have asked for passwords to not be changed. They need to be changed. If we can Google it, and we have before, then it's not a secure password and you're putting patient data at risk.

EDR instead of Anti-Virus

One of the items that Solarwinds recommended was to disable anti-virus scanning on their directories. A cached document from their support site gave a list of directories to exclude from scanning. This means that malware placed in these directories wouldn't be detected. Our recommendation is to enable scanning on these directories. If you have legacy anti-virus, get in an Endpoint Detection and Response product such as Microsoft Defender Advanced Threat Protection, Blackberry Cylance, VMWare Carbon Black, Crowdstrike, or Cybereason instead. These products will do a better job detecting malware than legacy products will, and do a better job protecting patient data.

Operational Management Procedures

We need to develop runbooks and operational management procedures for applications and network services to check for and report on anomalies. These include invalid logins, connections to outside sites, accounts that look up numerous records, and attempts at probing other resources. Linking systems to a Security Incident and Event Manager (SIEM) managed by a Managed Security Services Provider (MSSP) and/or Clinical Engineering Device Management Company can help you automate these processes. Also, make sure that your teams are performing periodic maintenance, including patches, application reliability checks, and database checks.

Mass Password Change Procedures

Organizations need to make sure that they have good procedures in place for when a significant event occurs. Today it was Solarwinds Orion being compromised. Tomorrow will bring other similar events. System administrators have been walked out, credentials have been compromised, and many other issues have happened in the IT space like ransomware. It is never too late to prepare to have to change all credentials and have a process to do so.

Conclusion

The Solarwinds event is going to be history like the Morris Worm or Stuxnet. It will be relentlessly studied and examined. This doesn't mean we throw up our hands and say that security doesn't work. It means that we study and learn from it, and implement techniques that make ourselves more resilient. There are many people, especially now, that depend on us. We owe it to them to do better. Hopefully this article will help CIOs close the gaps to do so.

 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.