In 2020, a number of significant advances in hacking were made by the cyber criminals. Right here in Austin Texas, we observed the compromise of the SolarWinds application.
The Russian hackers were able to get inside the SolarWinds code library and install their future access points within the packaged software. SolarWinds did not have effective information technology general controls (ITGCs) to prevent nor detect this additional code. The access points were downloaded as the SolarWinds customers updated their copy of the application.
The SolarWinds customers “trusted” their software supplier. Trust is not a control. I am with President Reagan, we need to trust our suppliers but we need to verify they have effective controls.
SolarWinds now has on their website a list of the ITGCs they have in place:
· Information Security Policy
· Organizational Security
· Asset Management
· Personnel Security
· Physical and Environmental Security
· Operational Security
· Access Controls
· Software Development Lifecycle
· Incident Management
· Business Continuity and Disaster Recovery
· Data Protection
Here is a link to the SolarWinds summary description of these items:
CCS has a number of CPE events covering information security and related internal controls. You can access a listing of the events at: http://compliance-seminars.com/Index-Information-Technology.asp#Training-Seminars-List
Comments