Compromise of Major U.S. Cybersecurity Firm is Cause for Reevaluation

Adam A. Such II, President and Chief Operating Officer, Communication Security Group/Cellcrypt

The United States continues to be rocked by the SolarWinds hack, which is thought to be the worst ever cyber-attack on U.S. Government and corporations. At least six departments, including State, Treasury, Commerce and Energy, have been reported to have been breached. However, the attack was first identified, not by a government agency, but by cybersecurity firm FireEye, who were themselves recently compromised by hackers with "world-class capabilities" who had "primarily sought information related to certain government customers."

This approach of attacking IT infrastructure and security providers, such as trusted government vendors FireEye and SolarWinds, in order to compromise their products and tools, makes this an extremely worrying development for organizations across government and enterprise. As the Democratic vice-chairman of the Senate select committee on intelligence, Mark Warner, commented: "The hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyber-attacks."

The supply chain attack, in which malware was inserted into an update of the SolarWinds network and security monitoring platform, Orion, came to light almost by accident due to an automated security alert that warned a FireEye employee that his credentials had been used to log into the company’s virtual private network (VPN) from an unrecognized device.

In August the NSA issued an advisory that warned, "VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack." Security controls are at risk of being subverted and must continuously be assessed.

In essence, an attack on a VPN can provide direct access to internal networks and IT infrastructure. If this occurs, the organization is prone to data theft, for internal systems to be manipulated or enterprises to be denied service.

The fact that millions of employees are newly working from home due to the global health crisis, together with increasingly sophisticated, nation state led cyberattacks, has created a perfect storm for both public and private sector organizations.

To allow unprecedented numbers to work from home and communicate/collaborate effectively, VPN solutions designed for limited use are now required to scale up far beyond peak capacity. Additionally, organizations are utilizing non-certified collaboration and communication tools, effectively creating shadow IT infrastructures outside the oversight and management of security professionals. Some of the most considerable burdens on VPNs are the use of data-intensive VoIP, video conferencing, and large file transfers. While VPNs can facilitate these connections, the user experience is lacking as public and enterprise networks strain to cope with increased traffic.

In practice, organizations must understand their security gaps, evaluate the capabilities of their security tools, routinely assess security policies and strive to reduce their attack surfaces, including reducing the load on their VPN. For example, using a video/voice communications platform that provides its own end-to-end encryption, can be integrated directly into IT infrastructure, and does not rely on centralized key management or VPNs for security will help the organization continue to communicate securely when they need to most.

Communication Security Group is the market-leader in mutually authenticated, end-to-end encryption for any kind of data in motion. They are best known for their secure communications suite, Cellcrypt, which provides military-grade encryption for voice/conference calls, instant messaging and file transfers. These enterprise-ready solutions are ideally suited for distributed workforces and expanding an organization’s secure network to a remote or mobile team. For more information, visit www.cellcrypt.com