Organizations and officials worldwide are still sifting through the damage caused by the December 2020 SolarWinds breach, which impacted more than 250 companies and government agencies. Hackers inserted malicious code into the U.S. company's Orion IT infrastructure monitoring and administration platform.
The code spread through updates and patches SolarWinds sent to all its clients, the company's CEO Sudhakar Ramakrishna told the U.S. Senate Oversight and Reform Committee and Homeland Security Committee in February (see "Congress Raises Questions" below). The SUNBURST malware created backdoors through which hackers could access customers' systems.
Organizations that use the SolarWinds platform may already have been attacked. Internal auditors should help determine their risk and devise safeguards against this and future attacks.
In the aftermath of the SolarWinds incident, IT and cybersecurity teams should review and test more details and cover more transactions. In time, audit committees, external auditors, and regulators may expect internal audit to perform more continuous assessments and technical reviews of the infrastructure and network cybersecurity hygiene.
The level of investment and time to improve cybersecurity in the network and infrastructure will need to increase significantly, as well. In a March presentation, the National Association of Corporate Directors (NACD) advised boards to "evaluate their programs' effectiveness compared to their spend." The NACD suggests directors discuss:
- How can boards ensure companies are implementing best practices?
- What are the most effective security metrics boards should consume?
- How can boards oversee effective third-party risk management?
Congress Raises Questions
According to several sources, the SolarWinds breach went undetected for at least nine months. That means the hackers could embed and hide malicious code over an extended time. Several points arose during U.S. congressional hearings:
Members of Congress and witnesses — which included executives from cybersecurity firms and Microsoft — mostly agreed that the U.S. needs a more extensive and better-trained cybersecurity workforce.
Many attendees said more resources are needed to strengthen the nation's cybersecurity. This includes more federal government investment to upgrade critical infrastructure, especially outdated software and security systems.
Members called for improving best practices and cybersecurity hygiene. This may include more threat hunting or proactive searches for cyber threats to organizational networks and infrastructure. For example, the Department of Homeland Security Cyber Hunt and Incident Response Team Act of 2019 funds these activities for several federal government departments and agencies.
Many members and witnesses called for a better public–private partnership to deal with cybersecurity threats, including more robust reporting and sharing of cybersecurity-related information. However, disclosure brings up issues about liability and reputational risks to companies that disclose significant breaches.
Internal audit should begin by assessing the risk levels represented by the SolarWinds breach. Organizations assume that infrastructure and network monitoring tools can be a trusted part of cybersecurity hygiene practices. When the tool is corrupted and open for hackers, it increases all other risks and weakens controls.
Internal audit's IT auditors should discuss with the technology and information security teams ways to assess infrastructure and network governance, risks, and controls. Auditors may need more training on infrastructure and network processes.
Even with such expertise, IT auditors rarely will review the actual code or patch update. First, scans of patch update code require deep technical knowledge. Second, auditors typically focus on timely and complete patching — not scanning for malicious code in a vendor update.
For example, SolarWinds used external resources to identify the malware SUNSPOT, a highly sophisticated code designed to insert the SUNBURST backdoor malware during the Orion platform build process. IT auditors would not be expected to deal with the governance, risks, and controls over such a detailed and technical process. However, there are several ways internal audit can provide value.
Vendors and Partners Internal audit should review all infrastructure vendors and supply chain partners, especially vendors that play a crucial security role. They should perform an inventory of vendors and analyze each provider's risk profile.
Segmentation Auditors should review the current network and infrastructure segmentation to see whether isolating vendor software into a higher risk zone will improve security. Segmentation is a practice of dividing and blocking certain traffic into different parts to improve performance and control access. It can help block all or some traffic from reaching another network, which may prevent infected software from accessing other high-risk data stored in a different network segment.
Auditors should determine whether the IT team deploys policies and controls to manage who can access high-risk data network segments. It also should find out what policies govern who can access higher risk networks.
Security Testing Internal audit should review whether technology and security teams plan to perform or set up Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). DAST implements automated scans that simulate malicious external attacks. SAST analyzes source code while the application is at rest or static. Auditors should review the DAST and SAST strategy and approach to see what threats or vulnerabilities are tested.
Threat Hunting Internal auditors should determine whether technology and security teams should use threat-hunting procedures. Security teams can deploy several types of threat-hunting tools: structured, unstructured, intelligence-based, hypothesis, and custom hunting. Additionally, auditors should determine whether the IT and information security teams follow a threat-hunting model or framework.
Return on Investment Internal audit should assess the maturity and level of return on the organization's cybersecurity investment. For example, what percentage of the technology budget goes to cybersecurity? How does this investment compare to the organization's peers or industry standards? Does that investment make the infrastructure safer and stronger?
The SolarWinds breach tarnished past assumptions and trust in third-party software and patch update processes. To address such catastrophic risks in the future, internal audit needs to assess the governance, risks, and controls over providers that are essential to monitoring infrastructure and networks.