July 2, 2021 Password Lessons: SolarWinds Supply Chain Attack

The COVID-19 pandemic upended every aspect of day-to-day life in the past year – and the supply chain is no exception.

By Dan DeMichele, VP of Product, LastPass by LogMeIn

When states and nations around the world adopted stay-at-home orders, it quickly caused large-scale disruptions as limitations were enforced around in-person operations and increased demand for specific products. In fact, 94 percent of the world’s largest companies reported disruption to their supply chain due to the pandemic. Now the world understands just how important physical supply chains are to our way of life.

Capitalizing on the chaos, cybercriminals looked for ways to exploit the COVID-19 crisis and its vulnerabilities to access personal and data-sensitive information. Thus, causing an organizations’ entire network to be a rising target for cyberattacks.  

Recent catastrophic attacks on the Colonial Pipeline, SolarWinds and the Microsoft Exchange demonstrate the growing threat and frequency of related cybersecurity supply chain attacks on critical infrastructure. These attacks serve as a great reminder of why managing cyber supply chain risks is essential to securing organizations and their networks effectively. It is also a reminder that the risk is not singular and other organizations within your ecosystem are also vulnerable.

Security is only as strong as the weakest link

Forgoing basic security practices can leave organizations in your ecosystem defenseless to bad actors. During the SolarWinds supply chain attack hearings, the former CEO blamed an intern for the weak password, “Solarwinds123,” that allowed Russian hackers to spy on multiple federal government agencies. This event serves as a massive wake-up call that you may have the most robust security in the world, but it only takes one careless event to decode all of the security protocol. 

To mitigate these threats to the supply chain, organizations must understand why enforcing good security hygiene is essential to secure customers, partnering vendors or suppliers effectively. Having poor security in place can create a domino effect – impacting multiple suppliers down the chain. 

We saw this happen firsthand with the SolarWinds attack, as hackers gained entrance through a backdoor vulnerability, opening access to data from a multitude of government agencies. Cybercriminals intentionally target these suppliers as a stealthy way to compromise information, impacting maximum casualties with minimal effort. These types of attacks can happen to everyone, and eliminating the weakest link is nearly impossible. Instead, organizations must practice good security hygiene to minimize the security risks at play. 

Overlooking security is no longer an option

Implementing better security within third-party organizations does not have to be complicated. Improving something as simple as password behavior can begin to increase an organization’s overall security, especially when 80% of breaches are related to weak passwords. With passwords playing a pivotal role in protecting business information and enhancing overall security efforts, many individuals and organizations continue to neglect best practices, like not re-using passwords across websites, leaving their organization vulnerable to an attack. 

To avoid becoming a victim of a supply chain attack, the following best password practices help encourage stronger security within third-party organizations:

• Adopting a business password management solution – Selecting the right password manager offers organizations a safe home for employees to store passwords. Additionally, it provides a seamless login experience using unique and randomly generated passwords.
• Installing multifactor authentication to improve security – Implementing additional login requirements like multifactor authentication (MFA) helps decrease the chances of hackers accessing important information. 
• Educating employees on best password techniques – Understanding the importance of security begins with education. All organizations must make security awareness and training a top priority. Helping employees understand the “why” will go a long way in helping prevent information from falling into the wrong hands.

Looking ahead to a post-pandemic world

While it’s been a volatile year, we can anticipate that even with the chaos easing, cybercriminals will continue to target supply chain and third-party organizations. Although supply chain security may seem like a daunting task, enforcing simple best practices such as better password management can help third-party organizations avoid SolarWinds-like attacks.

About the Author:
Dan DeMichele is the vice president of product management for the market-leading password manager, LastPass at LogMeIn. Dan has more than 20 years of experience leading both development and product management software teams for small startups and large corporations, bringing disruptive technologies to market and achieving commercial success. Prior to joining LogMeIn, Dan led product management at IBM, building out all consumable data and analytics services for Watson Cloud. He also held previous product leadership roles at Cloudant, IBM (Coremetrics), Unica, BEA, and Plumtree Software.

Subscribe to Industry Today