In February, the Senate Intelligence Committee hosted a hearing about the supply chain attack that affected SolarWinds and dozens of other companies and federal agencies, raising four key issues:
- How Amazon Web Services may have been used to host malicious infrastructure;
- Why the attackers conducted a “dry run”;
- What the true motives were for the attack, which apparently was waged by Russian hackers;
- How the incident could lead to better cyberthreat and intelligence information sharing.
While these points are all valid to uncover the scope and motive of this attack, they distract us from the opportunity to learn from this event. The lesson of this breach is not limited to SolarWinds. For credit unions and community banks considering how to respond to the SolarWinds breach, simply dropping SolarWinds as a vendor will not eliminate vulnerability of the systems and vendors that have access to your network. Financial institutions need to assess all of their vendors to understand the remote monitoring and management tools installed on their networks, and how they manage security and mitigate risk when using those tools.
Vendors, community banks and credit unions are most certainly using tools like SolarWinds, and hosting software applications through Amazon Web Services (AWS) or Microsoft. They should be. That’s the world we live in. But vendors still need to work aggressively on behalf of their clients and banks to mitigate the risks associated with these environments. Credit unions and community banks need to understand what people and tools have access to member data. They need to understand the security practices of these vendors, by asking the right questions and demanding transparency from those vendors. Cybersecurity requires complex planning, monitoring and agility. It is never appropriate to have a one-time solution. Cybersecurity has to continuously evolve and adapt to stay one step ahead of threats.
To blame AWS for not breaking security standards by peering into confidential and secret IT environments violates the integrity of what they do as a cloud provider. Surely none of us want AWS looking inside our private environments. This breach could have occurred no matter where SolarWinds was hosted or where the hackers bounced their data. To blame AWS is a distraction from the bigger issue. By that rationale, if the bad guys were sitting in a Starbucks in Ukraine while they were orchestrating the hack, then no one should ever go to a Starbucks again. Would we get angry at Walmart for not tracking who bought liquid bleach to pour into someone’s gasoline tank?
This event is an opportunity for us to learn, and improve before it affects our members. The number of cyber attacks which occur daily is staggering. The sheer number is enough to make anyone concerned about the state of technology and ensuring that businesses are leveraging the right vendors, products, and practices. This situation requires urgency and needs to get solved quickly because for every new advancement made on the defensive or proactive side, another is made on the offensive side.
Just like our own immune systems, the ability to share knowledge of how to thwart an attack, or when and where attacks are happening, can make the difference in whether an organization must close its doors due to threats such as Ransomware. By having shared databases of IP addresses, attack types, threat analysis data, and most importantly shared frameworks to automatically add that information into our cybersecurity tools is something that the world needs to take very seriously. It is not an ‘every organization for themselves’ because if any single organization continues to be successfully crippled with these attacks, the attackers will continue to have motive. Instead, an ‘all for one and one for all’ mentality really needs to be leveraged to protect business and public infrastructure. And what better industry to collaborate and share threats than credit unions and community banks. By working together, we can protect all of our members.
Financial institutions are responsible for customer data, period. Customer data is every where. They have vendors using clouds, they have vendors providing management with SolarWinds and other similar problems. We all have risks – SolarWinds wasn’t the first, and won’t be the last.
There is a plethora of technical best practices and tools which can be leveraged to mitigate risk and attack scenarios, but ultimately mitigating risk requires enacting frameworks and policies, which have been around for some time and take nothing but a little planning, dedication, and time. Implementation of those tools in layers with well-designed policy is often the best course of action. Least-privileged access, zero-trust networks, patch policies, network segmentation and data segmentation are all concepts which an organization of any size can leverage to mitigate the majority of risks. But each credit union and community bank must build the strategy that works for them. Hopefully we can all help each other to protect the industry.
Chris Sachse and Zachary Hill are CEO and CTO, respectively, for Think|Stack, a cybersecurity firm specializing in support for credit unions, community banks and non-profits. They can be reached at firstname.lastname@example.org and email@example.com.