In a recent high-profile data attack, foreign nationals are suspected to have hijacked the update publishing system of often-used network monitoring tool SolarWinds. This means that the attackers were able to plant malware, including code that allowed remote access, within the infrastructure of any of SolarWinds’ customers. Of course, the nature of this attack was targeted at large American organizations and the government, but this should not be brushed aside by smaller businesses. A less ambitious bad actor could easily target other vulnerable software that is often used in small businesses. This brings the question:
What can be done to prevent an attack if an often-used and trusted piece of software gets hijacked and becomes a trojan? In this blog post, we intend to lay out three main best practices that will mitigate the impact of such an attack.
The first best practice involves implementing a good firewall at the edge of a business network (where it connects to the Internet). This can be either virtual, if your business has virtual sever infrastructure, or a physical device. Even if your business is not big enough to afford a high-end firewall that does deep traffic inspection, your typical firewall can filter out traffic from foreign IP addresses and known bad actors. If your company is on the larger side, firewalls that are able to do deep traffic inspection can identify troubling traffic based on more than just an IP and a TCP/UDP port. This can go a long way in mitigating new threats and types of attacks. Implementing a firewall is a clear first step to preventing attackers from taking advantage of vulnerabilities that even they themselves have put in place.
Beyond having a firewall at the edge of your network, a business should use VLANs (virtual local area networks) to separate traffic and use a firewall to allow traffic between them only as needed. VLANs talk to one another by way of a router, and some network equipment that targets small and mid-sized business contains the functions of both a router and a firewall. If one of these is installed, SolarWinds and other network management software can be placed on its own VLAN and firewall rules can be used to make sure SolarWinds, or the bad actors that have remote access to your network via SolarWinds, are only able to reach a small subset of systems on a small subset of TCP/UDP ports that are used for the functions of the software. For example, SolarWinds would have no need to use the RDP protocol, commonly known as remote desktop, which has its own specific TCP port, to collect the data it needs to monitor network equipment. This port could be blocked at the firewall when it sees traffic on that port coming from the specialized software server.
Third and finally, further investigating the companies behind software solutions and asking some questions about their security practices before buying can go a long way to selecting software that is less likely to become a security liability. Hindsight is 2020, but recent reports have stated that SolarWinds’ products and event their internal security had been lax for several years with them not even having a senior leader or executive in charge of security. Of course, this and other information that may be prudent to secure software selection may not be public, but forging a working relationship and seeing how a sales rep responds to questions about security can go a long way in getting a feel where a company’s head is.
It is a reality in the digital, connected world that vulnerabilities on corporate networks cannot be eliminated entirely. This point certainly hits home when a trusted piece of software becomes a potent attack vector. There are, however, some relatively easy steps to take and technologies to implement to avoid a particular attack or make an attack vector less effective. We intend to publish our thoughts on more best practices in blog posts to come.
If you are looking for a professional opinion on your business’s IT security implementation or wish to have some of the solutions mentioned here implemented on your network, be sure to contact us at the information below.