
In recent days, JMARK has received a large number of inquiries from our clients and colleagues, asking for clarification on how to know if their networks are still secure and seeking advice on what steps need to be taken to address vulnerabilities and tighten cybersecurity measures.
In December, an eye-opening cybersecurity breach came to light when news broke that the Orion Platform software published by SolarWinds had been hacked. Attention-grabbing headlines highlighted a jaw-dropping list of organizations whose networks had been compromised, including the U.S. Departments of the Treasury, State, and Homeland Security, high tech security firm FireEye, and tech providers Nvidia and Belkin. Yet those organizations are just the tip of the iceberg. With 18,000 SolarWinds clients affected, there is a long list of victims in both the public and private sectors. You may be wondering if your business is one of those at risk.
In recent days, JMARK has received a large number of inquiries from our clients and colleagues, asking for clarification on how to know if their networks are still secure and seeking advice on what steps need to be taken to address vulnerabilities and tighten cybersecurity measures.
Am I Safe if I Am a JMARK Client?
Yes, the good news is that if you are a JMARK client, your network is unaffected. JMARK does not use the Orion Platform for monitoring. We know our clients are safe, yet we still take this incident very seriously. We are observing industry news sources and technical updates in order to learn every possible lesson that we can incorporate into our security measures.
What if I Am Not a JMARK Client?
If you are not a JMARK client, there are a number of steps you can—and should—take to check the health of your system. Your I.T. team should know whether or not the Orion Platform is used in your network. Yet even if the answer is a definitive no, there are still a few steps in the checklist below that you should take to be sure you are not affected through third-party connections.
Before we dive into the checklist, it is important to note that the understanding of this breach continues to evolve. The extent and nature of the damage done are still being discovered. New revelations may continue to emerge as cybersecurity experts throughout the country track this malware and examine affected networks for information and insights.
At the moment, however, your best starting point for reviewing the security of your network is to take the following steps. (Note that the list below is somewhat technical, but your I.T. team should have no trouble checking these items.) Of course, if you have further need of technical security help, please do not hesitate to contact us. JMARK’s award-winning security and network assessment teams are eager to help any business evaluate and strengthen their security profile.
Follow This Checklist if You Are Concerned About the SolarWinds Hack
- Check if you use a product listed by SolarWinds as having been affected.
- Find this list at https://www.solarwinds.com/securityadvisory
- If you were using an affected product, take the following actions:
- Disconnect the product from the network.
- Conduct a review of logs and systems for the latest IoC’s (indicators of compromise):
- DNS requests for avsvmcloud[.]com from March 2020 until today.
- [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
- [C:\WINDOWS\SysWOW64\netsetupsvc.dll]
- Review Active Directory for unexpected accounts with administrative or similar elevated privileges.
- Review SIEM/SOAR and Azure/Office 365 security logs and alerts for impossible travel, impossible logins, impossible tokens.
- Results from the above checks may warrant bringing in a third-party company familiar with computer forensics and especially this Orion Platform attack.
- If no indicators of compromise were detected, take the following actions:
- Consider redeploying the entire system hosting Orion Platform from scratch.
- Upgrade SolarWinds products to the recommended version.
- Reset all passwords on accounts used by SolarWinds.
- Contact critical vendors and confirm they do not use affected SolarWinds products.
- If they do, confirm that they are taking appropriate action to mitigate the impact.
- Verify that all security systems with definitions/signatures/rule sets are up to date (including anti-malware, intrusion prevention systems [IPS], and SIEM/SOAR) so they will detect the latest IoC’s and attack methods.
- Follow general monitoring best practices such as the following:
- Deploy monitoring systems on a dedicated system (do not install Orion Platform or other tools on domain controllers, file servers, etc.)
- Consider restricting internet access to monitoring systems.
- Ensure you have a consistent vulnerability management program to scan for, detect, and remediate vulnerabilities. (Note that this tip relates directly to the FireEye breach of security tools.)
Once you have followed all the steps above, you should be well on your way to closing the gaps opened up by the malware from this breach. Now what comes next?
The unfortunate truth is that the SolarWinds hack is just one of a great number of breaches that occurred in 2020. In fact, there were a record-setting number of cybersecurity incidents over the past year. The SolarWinds issue was simply the most high-profile. What’s more, every indication points toward 2021 continuing this upward trend.
The bottom line? Cybercrime is getting worse. Attacks are happening more frequently and succeeding more often. Hackers are getting smarter, more persistent, more organized, and more adept at tricking end-users. And every business is a target, regardless of size.
So, what can you do about this? How can you keep your business safe?
Securing Your Business Means Creating a Security-First Culture
Enhanced security needs to be a driving force in your I.T. strategy moving forward, not merely another line item. The most important thing you can do is partner with an I.T. provider with a strong background and solid reputation in cybersecurity. Not every security offering is equal, and the last thing you want to have happen is to find out the hard way that your MSP’s ability to protect your data was merely adequate.
JMARK has been named as one of the Top 100 Managed Security Service Providers in the world twice in the past three years. We have gained this distinction by creating a multi-layered approach to security. Just as the name implies, this means that if any one layer in the security plan is breached, there is another layer of safety waiting behind that. There is also protection in place at every possible entry point, including your employees and all other end users in your organization.
While there are many components of multi-layered I.T. security, some of the most important pieces include the following:
- Infrastructure monitoring and management
- Patch management
- Firewalls
- Scripts and automation
- Regular testing
- Ongoing employee security training
- Device management
- Two-factor authentication
- Policies and processes that are aligned with security
- Vendor management
- Insurance
- Backup and recovery
- Redundancy for every system
If your security system does not include those features, your company may be at greater risk for loss if you have a breach. In fact, those components should be considered as “minimum right to play” when it comes to business technology security. A mature I.T. security strategy should be based around working with your MSP to configure those pieces into the most robust protection possible, and then continue moving forward by consistently updating each feature into a newer, stronger iteration as technology changes.
Hopefully, you read that list while nodding your head in agreement, feeling relief that your business is already set up with just such a multi-layered security strategy. But if that’s not the case, don’t despair! Help is not far away, and not hard to find.
JMARK helps businesses across every industry to improve their security and protect their data. We have industry-focused teams to ensure that you are protected from attacks specific to your vertical and that you remain compliant with any regulations that have security-related requirements.
After the staggering number of attacks in 2020, we know that having strong cybersecurity has become more critical than ever. Like so many things that changed over the past year, I.T. security is not going back to the way it was. Hackers and criminals will continue seeking fresh targets and probing for any vulnerability they can find, with increasing frequency and tenacity. Your systems, processes, and culture need to be working just as hard every day to keep you safe. If you’re ready for cybersecurity that protects your data at every point throughout the network, visit JMARK.com or give us a call at 844-44-JMARK to talk to our network security advisors and learn what we can do to take care of you.