Vendor Selection In Today's Security Environment
If you are responsible for protecting your company’s data, PII data from your clients, or your own intellectual property – there is always more to be done, and plenty to lose sleep over. However, your first step in security should be to make sure you have the basics covered!
There has been a large amount written about exactly what happened with the FireEye breech, and the role that a “Trojan-ized” version of a SolarWinds plugin played. It is easy to sit on the sidelines (if there even is such a thing as a sideline when it comes to internet security) and play the “how could that happen” game. Really- FireEye? Double-Down with OMG SolarWinds? There will be plenty written by people much smarter than I about “how” this actually happened; so – really not intending that here. This is simply to highlight a few things that you should not overlook in your overall security strategy.
· Vendor Selection
· Did I mention Patching?
Patching – Give yourself a fighting chance! So many of today’s breeches are because of broken code – RDP exploits, privilege escalation on domain controllers – you name it. The point is, if you are responsible for infrastructure – get the patches! Clearly not foolproof, there are always new zero-day flaws being found, but if you are not limiting your exposure with a regular patching schedule those zero-day flaws will soon become legacy issues that were never patched.
Vendor Selection – Let me start by saying, would SolarWinds have passed my vendor selection? – Yes. SOC2 Type II Compliance, regional data storage, Gartner reports, reviews – you name it SolarWinds hits all the check-boxes. Does that mean any of those things are diminished and should not be viewed as key verifications when selecting a vendor – absolutely not. It does mean that despite the best controls and the smartest people, a nation-state attack is difficult to withstand. How transparently this situation has been handled by both FireEye and SolarWinds can only be applauded. My point, have a solid, security-first, vendor selection process. It may not prevent all bad things from happening, but it will ensure you that if something does happen; your vendor will be prepared, know how to communicate, and have processes/procedures in place.
Lastly – Patching. Seriously, you would be amazed at the amount of outdated software is still running, everything from old operating systems to end-user software that puts you at risk for ransomeware (please tell me you are not using flash on your website). The breech of FireEye is likely to make ransomeware even better, and to stay ahead in this cat/mouse game patching is key!