By now, you have heard about the SolarWinds Orion hack. But what do you need to know about it?
First, if you want or need the technical details, the Cybersecurity and Infrastructure Security Agency (CISA) has them. In particular, on December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Make sure your affected devices are identified and disconnected too.
Second, this hack has highlighted something that the GAO reported earlier this month: federal agencies are doing a poor job of cyber defense. What did GAO find? “Few of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational practices for managing information and communications technology (ICT) supply chain risks.”
Third, you need to understand what “supply chain risk management” is and why is it important. Supply chain risk management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Such as software like SolarWinds Orion.
Fourth, now more than ever, your company needs to know where your data is, where and when it is moving, where and when it is stored, how it is used, and who has access to it. You have to assume you will be hacked and have a plan that enables your company to survive that hack.
* * *
Finally, unrelated to this hack but not to be lost, is a reminder that this time of year is the time when phishing attempts are at their peak. Be on alert personally, and reminder personnel that they should treat all unexpected or unfamiliar emails with suspicion.