In a shocking move that has raised concern in all the ciso community SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, have been slapped with a lawsuit by the U.S. Securities and Exchange Commission (SEC). The SEC Lawsuit and SEC SolarWinds Charges focus on a 2019 supply chain attack on the company’s Orion software and allege fraud and internal control failures. This article aims to dissect the lawsuit’s implications for vulnerability management, application security, and product security.
While I don’t want to express pro/cons, organisations lack risk profiles on their software but also those findings often get ignored if not presented correctly. While this filing will drive awareness up, it could also result in negative behaviour and scapegoating
The Charges: A Brief Overview
The SEC Lawsuit has accused SolarWinds and its CISO, Timothy G. Brown, of failing to disclose known vulnerabilities and specific deficiencies in their cybersecurity posture. The SEC Cybersecurity Charges claim that SolarWinds’ security statements were misleading, affecting their vulnerability management and application security practices.
The NIST 800-53 Framework: A Mirage?
SolarWinds claimed to follow the NIST 800-53 security framework, a gold standard in cybersecurity. However, a 2019 assessment revealed that the company had implemented only 21 of the 325 controls, a mere 6%. It’s like claiming to have built a fortress but only installing a garden fence.
Why the changes:
The SEC charges SolarWinds and its Chief Information Security Officer (CISO) with fraud and internal control failures. The charges relate to the company’s failure to disclose known cybersecurity risks and specific deficiencies in its cybersecurity practices.
According to the SEC, SolarWinds misled the public by claiming to follow the NIST 800-53 security framework, despite having implemented only 21 of the 325 controls, or just 6%. The company’s security statements were also found to be riddled with inaccuracies.
The SUNBURST Attack
The SEC’s legal action comes on the heels of the notorious SUNBURST supply chain attack that compromised SolarWinds’ Orion software. This Orion Software Vulnerability led to the software being downloaded by over 18,000 customers, affecting giants like Cisco and even U.S. government departments.
The Russian APT29 threat group breached SolarWinds’ internal systems and trojanized the SolarWinds Orion IT administration platform and subsequent builds released between March 2020 and June 2020.
Solarwind mention that the SEC charges come at as a surprise. SolarWinds says it has more than 300,000 customers worldwide and 96% of Fortune 500 companies, including all top ten U.S. telecom companies, Apple, Google, Amazon, and a long list of govt agencies (such as the U.S. Military, the U.S. Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the U.S. Department of Justice, and the Office of the President of the United States).
Multiple U.S. govt agencies later confirmed that they were breached, including the Department of State, the Department of Homeland Security (DHS), the Department of the Treasury, the Department of Energy (DOE), the National Telecommunications and Information Administration (NTIA), the National Institutes of Health (NIH) (part of the U.S. Department of Health), and the National Nuclear Security Administration (NNSA).
How can you prepare? What can you do to avoid being next
Transparency is key. Companies must accurately disclose their cybersecurity practices and known risks. Vague statements won’t cut it anymore; specificity is the order of the day.
Open channels of communication within the organization are crucial. This ensures that concerns about potential cybersecurity threats are shared and acted upon, bridging the gap between public statements and actual security measures.
When vulnerabilities are identified, immediate action is non-negotiable. Leaders must prioritize these issues and ensure they are escalated to the right personnel. Procrastination here can be costly, both financially and reputationally.
A robust cybersecurity framework tailored to the company’s unique risk environment is essential. Regular audits, penetration tests, and employee training can help keep the security posture robust and up-to-date.
In case of an incident, full and timely disclosure to investors and stakeholders is imperative. Half-truths or omissions can erode trust and may even lead to legal repercussions.
By adhering to these strategies and the new SEC cyber rules, companies can significantly enhance their cybersecurity practices. This not only safeguards valuable assets but also instils investor confidence, making it a win-win situation for all involved.
SEC Cybersecurity rules
Is useful to recap the cyber security rules that the SEC Seek to apply. The SEC seeks to thread a needle between organizations providing enough data to inform investors while not “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.” The Federal Register shows the rules took effect September 5, 2023.
New Form 8-K Item 1.05
Disclosure of the details of material cybersecurity incidents within four business days of such determination.
New Regulation S-K Item 106(b)
Provide a description of the “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats…”
To be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
New Regulation S-K Item 106(c)
Provide a description of the board of directors’ oversight of cybersecurity risk and their role and expertise in assessing and managing material risks from cybersecurity threats.
The SEC’s Stance: No Excuses
The SEC has been unequivocal: the sophistication of the SUNBURST attack does not mitigate SolarWinds’ poor controls and misleading statements. In other words, “a hack is a hack, but a lie is a lawsuit.”
A SolarWinds spokesperson sent the following statement on bleeping computer’s article after the article was published:
We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.
The solar wind charges a timeline.
- October 2018: SolarWinds goes public with an Initial Public Offering (IPO) registered via a Form S-1 filed with the SEC. The filing contains boilerplate cybersecurity risk disclosures. (Page 38)
- November 2018 – November 2020: SolarWinds made multiple SEC filings, including quarterly and annual reports, that repeated the same misleading risk disclosures. (Page 41)
- Throughout 2020: Accumulating red flags and cybersecurity incidents were not disclosed. (Page 41)
- December 14, 2020: A Form 8-K was filed regarding the SUNBURST cybersecurity incident. (Page 3)
- October 30, 2023: The SEC files the complaint. (Page 1)
Main Charging Points:
- Misleading Statements: SolarWinds and Brown allegedly made materially false and misleading statements about the company’s cybersecurity practices. (Page 1)
- Non-Disclosure of Risks: The company failed to disclose accumulating red flags and cybersecurity incidents. (Page 41)
- Violations of Exchange Act: SolarWinds is charged with violating Section 13(a) of the Exchange Act and related rules. Brown is charged with aiding and abetting these violations. (Page 64)
Internal Discord: A Red Flag
Internal documents and messages within SolarWinds have revealed a disconnect between public statements and internal assessments. One message from a senior information security manager even stated, “We’re so far from being a security-minded company.”
The SEC seeks various penalties against SolarWinds and its CISO, underscoring the high stakes involved in cybersecurity compliance and data breach prevention.
Implications for the Cybersecurity Landscape
The lawsuit serves as a wake-up call for companies to align their public statements with their actual cybersecurity metrics and best practices. It also highlights the importance of adhering to recognized security frameworks like NIST 800-53.
The SEC’s lawsuit against SolarWinds is a landmark case in vulnerability management and application security. It serves as a stern reminder that in the realm of cybersecurity, the stakes are high, and the penalties for non-compliance are even higher. Therefore, focusing on cybersecurity best practices, risk-based decision-making, and asset visualization is crucial for any organization.
This can be a dangerous precedence but also a case study to help CISO bring more risk quantitative approach on vulnerabilities across products and the environment
Posture risk management of your application can help accelerate the identification of issues that can be compromised like what happened in the SolarWinds case, which are becoming alarmingly frequent; Phoenix Security offers a comprehensive, risk-aligned approach to safeguarding your assets. So, if you’re looking to bolster your cybersecurity posture while aligning with business objectives, Phoenix Security is your ace in the hole.
In cybersecurity, the best offence is a good defense. So Phoenix can help identify risk based profiles for product and real-time environment assessment. Let Phoenix Security be the risk reporting and action engine that can help you and your CISO paint a real-time risk profile of your products
How Phoenix Security Can Elevate Your Cybersecurity Posture
In the wake of the SolarWinds incident, organisations are reevaluating their cybersecurity strategies and seeking robust solutions. Phoenix Security, a leader in vulnerability management and application security helps organisations visualize the posture of their software and assets, Phoenix Security is the go-to partner for risk-based discussions and decision-making. Sec Lwasuit and compliance ruleset focus on the
Visualising Software and Asset Posture
Phoenix Security’s cutting-edge tools provide a comprehensive view of your organization’s software and asset landscape. This visualization enables you to identify vulnerabilities, assess risks, and prioritize actions. It’s like having a GPS for your cybersecurity journey, ensuring you’re on the right path.
Risk-Based Discussions and Decision-Making
Phoenix Security excels in facilitating risk-based discussions. By providing actionable insights and data-driven metrics, we empower organizations to make informed decisions. Think of it as having a cybersecurity roundtable where everyone speaks the same language— the language of risk.
Driving Down Risk with Targeted Goals
One of the standout features of Phoenix Security’s approach is the ability to set risk-based targets that are in sync with business objectives. This ensures that your cybersecurity efforts are not just a technical endeavor but a strategic initiative aligned with your business goals. It’s like aiming for a bullseye and having the darts, the skills, and the strategy to hit it every time.
Phoenix Security promise
The real value lies in Phoenix Security’s ability to integrate cybersecurity into your business strategy. By setting risk-based targets, you can allocate resources more efficiently, prioritize actions that yield the highest impact, and ultimately drive down risk. It’s not just about preventing a breach; it’s about enabling your business to thrive in a digital landscape fraught with risks.
What are the SEC charges against SolarWinds and its top security executive?
The SEC has charged SolarWinds and its Chief Information Security Officer (CISO) with fraud and internal control failures. The charges relate to the company’s failure to disclose known cybersecurity risks and specific deficiencies in its cybersecurity practices.
What is the nature of the 2020 hack attributed to SolarWinds?
The 2020 hack involved a supply chain attack on SolarWinds’ Orion software. Malicious “SUNBURST” code was inserted into the software, which over 18,000 customers then downloaded. The attack had a significant global impact, affecting companies like Cisco, FireEye, Intel, and various U.S. government departments.
What is the SEC lawsuit’s focus after the 2020 hack?
The SEC lawsuit focuses on SolarWinds’ failure to disclose known cybersecurity risks and “specific deficiencies” in its cybersecurity practices. It also alleges that the company made “materially false and misleading” statements about its security measures.
How did SolarWinds mislead the public on risks before the hack, according to the SEC?
According to the SEC, SolarWinds misled the public by claiming to follow the NIST 800-53 security framework despite having implemented only 21 of the 325 controls, or just 6%. The company’s security statements were also found to be riddled with inaccuracies.
What is the SEC accusing SolarWinds of concealing before the cyber risks became public?
The SEC accuses SolarWinds of concealing known cybersecurity risks and specific deficiencies in its cybersecurity practices. Internal documents revealed a disconnect between the company’s public statements and its actual security posture.
Previous Issues of Vulnerability News
- How to update curl and libcurl without panic fixing
- Critical Vulnerabilities in Atlassian Confluence: Zero-Day
- Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
- Understanding the libcue Vulnerability CVE-2023
- Understanding and fixing Curl and libcurl
- CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) details on vulnerability timeline and compromise
- MOVEit Transfer breach, Zellis compromise CVE-2023-34362