Earlier this month we predicted that in 2021:
“A major U.S. facility – government, DoD, Nuclear plant, etc. will have to deal with a hacking attack which is successful, causing some degree of panic.”
That was on December 7th and now, our worst fears have been realized. Sadly, the breach was reported even sooner than when our prediction officially started.
We envisioned that a sophisticated nation-state attack would consist of a massive room full of the smartest hackers in the world. People that could crack any operating system or encryption code. We thought China, Russia, Iran or North Korea would find a hidden exploit in an operating system or piece of software. Or they would infiltrate a system by befriending a worker and gaining access to critical systems.
Sure enough, we were right about the hack. 100% dead on. It was reported today hackers breached the networks of the National Nuclear Security Administration (NNSA) and the US Department of Energy (DOE).
NNSA is a semi-autonomous government agency responsible for maintaining and securing the U.S. nuclear weapons stockpile.
The manner in which the hack took place is not shocking – it is very very very very common.
Is that enough “verys” for you?
We must admit we thought this prediction would have been caused by a far more sophisticated hack.
Here is what happened:
IT service management firm SolarWinds was hacked because their update server used the password solarwinds123.
These simple passwords are in use in many organizations.
What is a bit shocking of course is many of us can’t get a free email account online if we don’t have a password consisting of a mix of letters, numbers, special characters, etc. How could a server even allow such a basic password? Sadly, we ask the question rhetorically because we have seen many organizations with lax password policies.
Hackers breached SolarWinds and then had access to 18,000 customers and millions of users as a result.
We try to learn something from every hack but this one is challenging to learn from. The reason is, every company relies on software from third-parties to keep their organizations operating.
A single mistake or lapse in judgment at one company can have massive repercussions.
If we had to come up with a takeaway, it is, consider using outside help for IT as solid MSPs have password policies that would prevent a slip-up like using an obvious password. Another alternative is to ensure your internal team has a great password policy. The issue of course is enforcement. MSPs have complex passwords in their DNA – they are not perfect but they realize that a bad password choice can take down all their customers and their business.
It's worth pointing out, it would seem the development team at Solarwinds was at issue, not IT
We have seen instances where these are separate departments and subsequently a hack comes through because of sloppy code. In this case it was a poor password choice.
We have also seen many organizations with complex policies that they print out and give to regulators and auditors when required but is obvious they have neither read the documents nor follow them.
Mistakes happen but this breach, like many others, shows the damage that can be done when a single point of failure exists. In this case, the single point of failure was the internal IT/development team. SolarWinds has more than 3,200 employees which all but guarantees many people in the company knew this password and allowed its use.
This points to a cultural issue of becoming comfortable and a lack of a cybersecurity culture. Again, this can happen in any organization and a second set of eyes – with separate management, is the best way to catch such issues.
In conclusion – cybersecurity is a broad term that involves defending the privacy of data against unknown hackers. We often talk about how difficult it is to do right. But it is worth pointing out, if the basics aren’t followed – having the right culture and controls in place, you are virtually guaranteed to be breached in an embarrassing way which may cost you your company.
Here is our complete list of cybersecurity predictions – let’s hope we are wrong about all of the others.
Protecting yourself is getting tougher but must be done to keep your business or government agency, school, state, city, etc. running.
Ask the experts at Apex Technology Services about how we can help your organization stay secure.
Rich Tehrani is CEO of RT Advisors and a Registered Representative with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). RT Advisors is not owned by Four Points.
The above information was strictly a technical/business news article/review regarding the company(ies) mentioned. The information contained should not be considered and is not a recommendation to invest in or sell short the securities of the underlying company(ies).