Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, November 1, 2023, 7:50 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


SEC Charges SolarWinds and its CISO

The US Securities and Exchange Commission has announced charges against Texas network management software firm SolarWinds and its Chief Information Security Officer, Timothy G. Brown, following the legendary Sunburst attack on the firm and the customers using its Orion software. The SEC alleges that SolarWinds misled investors by disclosing only generic, hypothetical risks when in fact Brown, and the company management, knew of specific shortcomings in the company's controls, as well as the elevated level of risk the company faced at the time.

The complaint allegest that, for example, 'a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.'

Similarly, the SEC alleges that in 2018 and 2019 presentations, Brown stated that 'the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”'.

The SEC claims that Brown was aware of the vulnerabilities and risks but failed to adquately address them or, in some cases, raise them further within the company.

There's a lot more in the SEC's press release and doubtless in the court filings.

There's a lesson in this for CISO's everywhere. We have long recommended the involvement of both security personnel - who can assess the strength of controls and likelihood of vulnerability exploitation - and the relevant information asset owners - who can assess loss magnitude or impact - in both the evaluation of risk and, very importantly, the selection of controls which will mitigate risk to a level acceptable to the information asset owner. What is an acceptable level of risk is a business decision, not a security one, and it needs to be balanced against opportunities which lie firmly on the business side of the risk taxonomy - so it is one that the information asset owner has to make.

What this suit makes clear is that fines and judgements are an increasingly significant component of breach impact. The result should be a new clarity of thought about cyber risk management and an increased willingness of management to engage in the process. With this increased impact should come an increased willingness to fund controls.

All this gives a bit more leverage for security professionals to get the job done properly. But as an added incentive for honesty and clarity all round, I'd suggest capturing all risk acceptance decisions formally - if not on paper, then at least with an email trail. You never know when this could prove useful.

SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures, press release, 30 October 2023. Available online at https://www.sec.gov/news/press-release/2023-227.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.