Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime

SEC Charges SolarWinds CISO With Fraud and Cybersecurity Failures (securityweek.com) 32

wiredmikey shares a report from SecurityWeek: In a surprising development on Monday that is spooking the cybersecurity community, the SEC filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks. The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company's October 2018 initial public offering (IPO) and its December 2020 revelation of the infamous supply chain cyberattack dubbed "SUNBURST." [...] The SEC's complaint also points to internal communications among SolarWinds employees, including Brown, in 2019 and 2020, which raised questions about the company's ability to protect its critical assets from cyberattacks.
This discussion has been archived. No new comments can be posted.

SEC Charges SolarWinds CISO With Fraud and Cybersecurity Failures

Comments Filter:
  • by sheph ( 955019 ) on Tuesday October 31, 2023 @08:51AM (#63968646)
    Even after Sunburst happened I went to download an ISO for Orion and it had the same version number but the hash was different from the week before. They were quietly fixing things in the background and not letting anyone know. I understand the desire to protect the company, and shareholder value. But after something like that happens transparency goes a long way. Trying to cover things up just makes it worse. It came out later on that they were compromised for at least a year and knew about it before the FBI got involved and forced them to disclose it. So it's not really a surprise to me that the SEC is taking this stance.
    • It was malice disguised as incompetence. They weren't just running an insecure system, they were actively selling prior knowledge of the exploits out the back door to the Russian mafia, and I presume also anyone else willing to listen. This may in fact be the canonical, text-book case of [should have hired me instead, fuckers], but these guys in all honesty should be on trial for treason and not just negligence.

      • (They read this site and mod me down whenever I call them out with the truth, but this is how you can tell I'm right; their guilt is on display here and now.)

        • (FBI: Incidentally, these are the types of activities I was talking about when I said you should be paying more attention here.)

    • In any sane world, SolarWinds would be bankrupt and shut down now, having failed spectacularly at its primary mission.

  • Details (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 31, 2023 @08:55AM (#63968656)

    Just a reminder, this isn't about having security vulnerabilities being a crime, this is about their explicit claims about their security practices being different from their actual practices.

    Doing something stupid like leaving a default password is not a crime.
    Telling everyone you change all default passwords, when in reality you do not, is the crime.

    People always seem to focus on "zomg how can they criminalize being hit with multiple zero days, we are all teh criminals now"
    No.
    Don't lie to people that you are invulnerable to zero-days and you won't be charged for lying to people.

    • Re:Details (Score:5, Informative)

      by coofercat ( 719737 ) on Tuesday October 31, 2023 @09:13AM (#63968714) Homepage Journal

      To elaborate on this, the SEC case is indeed about things they officially told the markets about their internal processes and capabilities - nothing more.

      SolarWinds software was a security nightmare from top to bottom. To install the client agent, the "recommended" method was to give the Orion server the root password to the client - it would then log on and do who-knows-what to install the agent. You could then go change the root password, but it wouldn't have any real effect because the agent ran as root. The server had command-and-control and an "open a shell" feature where you could get a root shell on any client device (it also had the means to deploy arbitrary code and execute ad-hoc or previously deployed code).

      I once asked if there was a method to install the agent onto Linux clients "manually" - I was told that it's not recommended and not documented, not supported etc. You couldn't even have a proper compliance audit of what the agent had done to your system, much less lock it down with configuration management. As I say though, in hindsight, that would have made almost no difference given it had root access and arbitrary code execution abilities.

      The SEC case is nothing to do with this braindead implementation (in the name of convenience). It's only to do with the things they told the market about it.

  • I would love to say "good. Throw the book at the asshat", but first I'd like to know just how much decision power and ability to influence the security policy in the company he actually had. Because more often than we'd like to know, the CISO is basically some poor SOB sitting on an ejector seat with the CEO or, worse, the CIO, having the button in his hands to send him off.

    • I'm pretty sure he got hired to be the CISO because they knew he would bullshit and stretch the truth in order to make the platform seem more secure than it is. Many security engineer types are "high-integrity," meaning they won't outright lie and even avoid embellishment. The leadership, on the other hands, is usually selected for its ability to drive business outcomes. This typically comes in the form of spending less on the "cost center" of security, and then using free bullshit to still win consumer
      • Then he's no security person, he's marketing. Yes, you can abuse the CISO position for marketing, but then you absolutely deserves what's coming your way when (not if) the shit hits the fan.

        • The CISO has been a sales and marketing/technical evangelist role at many companies for a long time. Take a look at Meta' CISO Guy Rosen..doesn't even have an infosec background or a single certification!
          • by micheas ( 231635 )

            The CISO has been a sales and marketing/technical evangelist role at many companies for a long time. Take a look at Meta' CISO Guy Rosen..doesn't even have an infosec background or a single certification!

            I can't say that a lack of certification is a bad thing. Considering the amount of mindless checkbox security I've seen that makes things worse, I might even take it as a positive.

            • That might be true sometimes, but in this case if you know the history it's clear Meta's previous CISO, Alex Stamos, wasn't low integrity enough. So they made a product management VP who formerly was a startup CEO into the CISO. Maybe having at least ONE full time security dedicated position would should have been required?
            • I might be biased as someone who does have security certificates hanging all over my toilet, but with all due respect, you're talking out of your rear end. You might want to differentiate between a compliance audit and a security examination. The former, yes, that's a checkbox test. Did you cross all the Ts and dot all the Is and all that stuff.

              This, though, gives you a baseline. Something to work away from. This is by no means the be-all-end-all in security. That's not the goal. That's the start.

              • Huh? I'm not even sure if your comment is responding to mine. What I said is that Meta's CISO lacks any full time security experience and came from product. Their previous CISO, Alex Stamos, was and still is an industry recognized leader in security. He left because he wanted more security around Russian disinformation. The new CISO seems to be there to remove red tape, not actually secure things.
      • by micheas ( 231635 )

        As a former CISO, the key is to not stretch the truth but provide reasons why the reality is okay.

        Question: Are you HITRUST compliant?

        Answer: No. HITRUST requires rotating passwords contrary to NIST Special Publication 800-63B 5.1.1.1. Which we do follow. We feel our security standards are appropriate for the threats to our business we expect

        I know many of my colleagues who would stretch things to say that they are compliant for some certification or another and vendors and security teams are habituated

        • That's a fine answer but I raise you: We are fully compliant with HIPAA. However, HITRUST is a private organization not associated with CMS, nor HIPAA Omnibus nor the HITECH act. While our HIPAA program does have similar controls, we have not paid this organization to audit us according to their standards.
  • They will have to pay a meager fine, admit no fault, and business will continue as normal.
  • I can give you over a dozen degenerate 'CISO'-titled individuals currently running some of the most target-rich companies.

    How did they get there? A combination of grift, personal connections, resume padding, college network, and headhunter zeal.

    More importantly who interviewed them? Very rarely does a senior/staff security engineer gets to interview a CISO, and even when they do the feedback is ignored or tampered down as to not be read by the CISO later.

    Most of the time its assumed they don't know how to c

    • by haruchai ( 17472 ) on Tuesday October 31, 2023 @10:39AM (#63969066)

      In this case, his LinkedIn says he has a 1987 BS in Comp Sci from Mass. College of Liberal Arts - not exactly resounding education credentials but he's not supposed to be clueless.
      He claims about 9 years total as a software engineer at Wang, among several other technical positions
      https://www.linkedin.com/in/ti... [linkedin.com]

      • by boulat ( 216724 ) on Tuesday October 31, 2023 @11:27AM (#63969214)

        Speaking of this Tim guy, here is a fun recommendation that is on top of his list:

        ---
        Joseph Kim
        CEO, Sumo Logic | Board MemberCEO, Sumo Logic | Board Member November 13, 2020, Joseph managed Tim directly
        November 13, 2020, Joseph managed Tim directly

                        I had the fortune of hiring and managing Tim while at SolarWinds to start the security practice under his leadership. He is the rare, practical security executives that approaches security operations from a truly pragmatic fashion - understanding that not only company maturity matters, but also working with the rest of the security community and the company's customers. He started the practices as a single person and eventually lifted the organization to create one of the best implemented SOC and compliance offices. He also was the face of the company's security practice externally, creating the Brown Report Podcast and helping SolarWinds MSP become a leader in security for the MSP space. I highly recommend Tim for any security role - both internal or customer facing.
        ---

        Lets unpack this gem of a historic context. Joseph was an EVP of Engineering & Global CTO at that time in SolarWinds. So in 2017 when he hired Tim there was no one doing security since "he started the practices as a single person". Fast-forward to 2 years later and in September 2019 the hackers gained access to SolarWinds networks and injected malicious code. Now you can argue that this could've happened to anyone, mistakes were made, etc, but what you can't argue is that this recommendation is still up there, publicly visible, 2 years after the largest security breach and Joseph Kim still highly recommends Tim "for any security role - both internal or customer facing".

        With people like that in charge, who needs enemies.

  • Value added posting (Score:4, Interesting)

    by Oryan Quest ( 10291375 ) on Tuesday October 31, 2023 @10:34AM (#63969048)

    https://investors.solarwinds.c... [solarwinds.com]
    Lol award winning!

    and to the surprise of nobody he was of course in charge of everything his entire career. Bringing strong policy and leadership since the day he popped out of the womb. Some of us have to start entry level because of experience and some of us run the show.
    https://www.cybersecuritydive.... [cybersecuritydive.com]

    How did you get started in cybersecurity?

    ran development teams, I ran engineering teams, I built cybersecurity programs. I was one of six Dell fellows. So I really built up a lot of focus, both internally and externally for people.

    I am so tired of lifelong business, leadership, former auditors, and other pencilneck assholes somehow getting to run the show while actually career security folks get relegated to doing grunt work for less money. I don’t understand how anyone can think writing policy is a rarer or harder to acquire skill than someone who is capable of successfully exploiting a buffer overflow in the days of ALSR and DEP.

  • Particularly in the MS SQL monitoring space, there is no other system I'm aware of, that breaks down performance issues like Solar Winds DPA. Other tools can show you system-wide issues, such as memory, disk I/O, and other such aggregate issues. But DPA uniquely (as far as I know) can tell you which specific query is causing problems, and which specific user executed it, and what specific problems that query is encountering. You can drill down into a spike last week, and research it after the fact, not just

If this is timesharing, give me my share right now.

Working...