SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. The most widely deployed SolarWinds product is Orion, which is a Network Management System (NMS). SolarWinds stated that its customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.
During the SolarWinds attack, hackers planted a backdoor in software updates for SolarWinds Orion platform, which could be activated when customers updated the software. A customer was the first to disclose the backdoor, which was soon called ‘Sunburst.’
The SolarWinds supply chain breach should be considered critical given that it could lead to full organization compromise. It has undoubtedly raised questions about whether your company will be impacted. To help the community understand its exposure, we have assembled a list of seven crucial questions to ask third parties in order to determine their response to this incident. See below for the questions and some possible response options to evaluate risk levels and understand potential third-party disruptions.
- Has the organization been impacted by the recent SolarWinds “Sunburst” malware cyberattack? The answer to this question should either be a ‘Yes’ or a ‘No’.
- What is the type of impact to the organization as an outcome of this cyberattack? There can be four different answers to this question. One answer is that there is a significant impact to the network, IT operations or security products. The cyberattack has caused systems or infrastructure to stop working or become unavailable. There has also been a loss of confidentiality or integrity of data. Another response could be that there could also be a high level of impact to the network, IT operations or security products. Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data. Yet another could be a low level of impact to the network, IT operations or security products. No loss of confidentiality or integrity of data; minimal or no disruption of service availability. Lastly, the cyber attack has had little to no impact on the network, IT operations or security products.
- Does it affect critical services delivered to clients? The answer to this question could either be a ‘Yes’ or a ‘No’.
- Does the organization have an incident investigation and response plan in place? This too can have four possible answers. First, the organization has documented incident management policy. Second, the incident management policy includes rules for reporting information security events and weaknesses. Third, an incident response plan is established as part of incident investigation and recovery. Finally, incident response planning includes escalation procedures to internal parties, and communication procedures to clients.
- You should also inquire about a point of contact who can answer any additional queries.
- Has the organization amended existing controls or implemented new controls to rectify and mitigate the impact the cyber-attack has had on the business? This question can have four answers. One could be that the controls have been identified and implemented to mitigate the impact from the cyber-attack. Another could be that the controls have been recognized and are currently being implemented to mitigate the impact from the cyber-attack. The third could be that the organization has identified which controls need to be updated or implemented, however, this has not been executed yet. Finally, controls are not or are not able to be administered.
- If controls are unable to be implemented, is the organization able to execute compensating controls or methods to avoid future cyber-attacks? This can have two answers. First, compensating controls or workaround methods have been implemented which has mitigated the impact caused by the cyber-attack. Second, the organization has not identified or is able to implement compensating controls to mitigate the impact caused by the cyber-attack.
SureShield is an IT risk and compliance management partner that ensures ease when it comes to implementing CMMC level accreditation that companies require. It offers compliance assessment for applicable controls, provides audit support and allows maintenance of a state of continuous readiness. Check out our website for more information. Also read our blog on everything you need to know about CMMC and how to choose a CMMC partner to keep you safe.