SolarWinds Fallout: Practices to strengthen data protection

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Saimon Michelson
 

Connecting state and local government leaders

By Saimon Michelson

|

New technologies and processes, such as continuous security, zero trust and machine learning, can help agencies protect sensitive data.

The SolarWinds attack is already being described as one of the worst cyber-espionage cases in history. This massive hack has compromised local, state and federal agencies in the U.S., as well as the European Parliament and NATO. 

The sweeping impact of this data breach, which keeps broadening as new information emerges, is a shrill wake-up call for government organizations to rethink their data protection strategies.

Anatomy of the SolarWinds attack

In March 2020, attackers injected a malicious Trojan into an update of the SolarWinds Orion IT infrastructure management software, which was then inadvertently distributed by SolarWinds and installed as an update to all Orion users -- 18,000 government and private users downloaded the compromised versions.

Supply-chain attacks of this nature are particularly difficult to defend because they package malware inside a trusted piece of software. Once inside the target's network, the malware often spreads laterally to other machines or steals sensitive data by exploiting additional vulnerabilities.

The breach was revealed in December 2020 by cybersecurity firm FireEye, which had installed the Orion update. FireEye discovered that the attackers had stolen its “red team” hacking tools and compromised internal networks. Microsoft also detected malicious SolarWinds applications in its environment. Although Microsoft has tried to downplay the attack's impact, the mere fact that it was targeted is cause for concern.

What can government agencies learn from this attack?

Findings show that malicious code was installed in 18,000 sensitive networks, operating without disruption from March to December 2020. How did this malware evade detection for so long? 

The answer is that government and enterprise organizations lack visibility into the security processes of their IT vendors.  As cloud services have become integral elements of IT agendas, it’s jarring to see companies like Microsoft, VMware and others being impacted by this supply-chain attack, which could also affect the users of their products and services. To ensure supply-chain security, organizations should require their IT suppliers to implement stringent standards and certifications, such as Open Trusted Technology Provider Standard (O-TTPS). 

New approaches to strengthen data protection

The SolarWinds attack highlights the need for new technologies and practices to protect sensitive data, beyond traditional network security, such as firewalls. Governments should consider the following:

Continuous security. The larger the organization, the more complex the process for rolling out software updates and patches. DevOps methodology aims to accelerate these processes, but speed should not come at the expense of security. 

The continuous security approach is designed to create the right balance between agility and security. Continuous security implements "pipelines," which are automated security controls, integrated into the continuous integration/continuous delivery process to verify the security of a particular software update or release. This approach can be implemented by vendors or end customers as part of the build and distribution processes, respectively.

Zero trust. As data breaches continue to proliferate, agencies should always assume their internal networks have been penetrated. Since user identities can be easily compromised, every access attempt should be considered “suspicious” until proven otherwise. Based on a "never trust, always verify" approach, zero-trust architectures authenticate each access attempt from every endpoint. By employing a zero-trust approach for data access, storage and management, agencies can build higher walls around their sensitive data. 

Machine learning. When combined with a good dataset, machine learning is a powerful tool for predicting user behavior related to application usage, file access, shared folders, etc. It can be used to build user profiles and identify anomalies, which can help detect potential data breaches. The more information agencies feed into a learning model about a user's identity and context, the more effective the results. 

Machine learning is particularly potent for "shared everything" architectures, where it can capture signals and share data among globally distributed systems to continually improve security.

Node security. Agencies should incorporate the zero-trust principles into every node in the network and in the traffic in between based on an entity's identity and real-time context. Enriched identity and context for such as devices, location or branch office can be used to enforce data protection policies and help prevent unauthorized access.

Encryption keys. Encrypting data is not enough. Agencies should generate and own the data encryption keys, and no third party -- not even the cloud provider -- should be able to access or control them.  On-premises hardware security modules or key management solutions can help centrally manage and secure access to protected information. This added level of control will ensure agency data is not exposed even in the event of a hack.

NEXT STORY: NIST posts enhanced requirements for protecting CUI

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.