SolarWinds: "IT's Pearl Harbor"

The experts agree. SolarWinds was the worst security disaster of all time, and it's not done with us yet.

1 2 Page 2
Page 2 of 2

Khazanchi concluded, "Applying security hygiene and east-west segmentation along with endpoint and server hardening can be effective techniques to reign in spiraling complex segments that promote unseen lateral movement. Such attacks depend on network complexity and lack of east-west controls to move laterally from system to system. Micro-segmentation that automatically prevents communication between systems that do not otherwise communicate significantly reduces the propagation possible via lateral movement."

Finally, using open-source software can be helpful. As Eric S. Raymond, an open source founder, famously described 'Linus’s Law' as "Given enough eyeballs, all bugs are shallow." Open source isn't a cure-all by any means. But, at least you can see for yourself the code, which might be causing you trouble if you're worried.

There are programs such as Red Hat‘s Release Monitoring, nvchecker, or Replogy, which can help you spot what's new in your open-source software. Other third-party code analysis programs Synopsys’s Black Duck or Sonatype Nexus Lifecycle can help.

Another Linux Foundation project, the Open Source Security Foundation (OpenSSF), combines forces with the Core Infrastructure Initiative (CII), GitHub’s Open Source Security Coalition, and open-source security-conscious companies Its goal, said Mark Russinovich, Microsoft Azure’s CTO is to help developers better understand the security threats that exist in the open-source software ecosystem.

The Foundation's four goals are: 1) Help developers to spot security problems, 2) Provide the best security tools for open source developers, 3) Give them best practice recommendations; and 4) Create an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.

These are all works in progress. In the meantime, all we can do is to keep our eyes on our software supply chains. Few of us are used to doing that, but after SolarWinds, it's clear that we must do so. As so many experts said, as bad as it's been, it could have been much worse. Indeed, it may yet prove to be much worse.

Let's take care and be safe out there.

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)