Important Cybersecurity News: FireEye and SolarWinds Breaches, December 2020
Envision IT Pressroom | December 17, 2020
Envision IT Pressroom
December 17, 2020
There have been two major security events in the past week that we wanted to share information on to help answer questions you may have. As always, please do not hesitate to reach out for further discussions around these events and how you can take measures to protect your users and systems.
First, FireEye, a leading cybersecurity firm that provides cyberthreat intelligence, penetration testing, and consulting for many organizations, was involved in a breach incident that led to the theft of their penetration testing tools. We expect these stolen tools will be used to identify weak points in companies' networks and compromise them, leading to data theft, disruption, and compromise.
The second significant event is related to FireEye's incident. The FireEye's incident response team identified the entry point of their breach was a popular 3rd party software called Orion from SolarWinds, which is used for monitoring network devices. It appears the attack on SolarWinds was performed by the threat actors by injecting malicious code into the Orion software, which was then distributed via normal means to their customers. According to a SolarWinds' statement, updates to the Orion product released between March and June of 2020 are affected. In addition to FireEye, the infected Orion software was used to attack multiple companies and organizations; the U.S. Department of Commerce, Homeland Security, and U.S. Treasury are among them.
So, what can we learn, and what can you do to protect yourself from these incidents? First, Envision IT does not leverage these products internally or for clients; however, the attackers involved with these events are very sophisticated, so it is an excellent reminder to take a constant improvement approach to your cybersecurity. While not a complete list, here are some important security tasks to review, for those of you utilizing Envision as a Service (EaaS) you may already have some of these items taken care of, or may want to discuss further:
- Determine if you or your business partners/vendors leverage the Orion SolarWinds product. If you have the software installed, immediately take action to disable the software until it is remediated.
- Ensure you have an effective Patch Management Process for your servers, endpoints, network devices, and 3rd party software. The stolen penetration tools from FireEye do not take advantage of any "Zero-Day Exploits," which means that the exploits they use were already known by the software vendors and patches were available.
- As a backup to Patch Management, a continuous vulnerability scanning process is recommended to audit and catch devices that were missed or failed the patching process. Unfortunately, patching is a challenging process, and unfortunately, devices do get missed.
- Ensure your data Backup and protection systems are working as expected and recently tested. Today's data protection systems need to keep multiple copies of data, both onsite and offsite, and do not allow access without strong multi-factor authentication (MFA).
- Enable MFA for as many systems possible. All remote access to company resources should require MFA.
- Confirm it is enabled for every device and utilize a Security Information and Event Management (SIEM), which allows for proactive event correlation and the ability to determine what systems are affected in case of a security incident.
- Review your Active Directory and network policies and ensure good segmentation.
- Monitor your emails for Phishing and confirm users have recently completed End User Security Awareness training.
- Reset passwords on U.S government sites ASAP (Social Security, IRS, etc.).
If you have any questions, please reach out to Envision's Endearment Team at 608.824.2060 or submit a request here.
