Perspectives on the SolarWinds Incident

“…Members of the IEEE Security & Privacy editorial board described the attack as the result of inadequate cyber defenses, an exploit of insiders, and an exploit of privileges in the software supply chains (Peisert et al, 2021). These professionals pointed out several revelations about the attack including that: network management software is not secure, adding more tools does not add enhanced security, security procedures are designed for first-party software, and that software supply-chain attacks are as important as,if not more importanthan hardware supply-chain attacks (Peisert et al, 2021). They also stated that although combining software code and libraries from various sources may be a good approach for developing tools quickly and inexpensively; it may not be quite as effective with regard to developing tools securely.…”

“…They also stated that although combining software code and libraries from various sources may be a good approach for developing tools quickly and inexpensively; it may not be quite as effective with regard to developing tools securely. (Peisert et al, 2021).…”

“…Bruce Schneier, a cybersecurity professional, stated that the software that is managing our critical networks is not secure because the market does not reward security . Hamed Okhravi, another cybersecurity professional, indicated that with every new tool, while it might reduce parts of the attack surface, it also adds a new attack surface: vulnerabilities within the tool itself become a new possible vector of compromise for the system (Peisert et al, 2021). A system can likely become more secure by removing its unnecessary services, libraries, and features, to shrink its attack surface.…”

“…A system can likely become more secure by removing its unnecessary services, libraries, and features, to shrink its attack surface. (Peisert et al, 2021) Carl Landwehr, another professional, offered that a possibility for preventing such attacks might be to develop tools that would help consumers of updates assess their security more deeply than merely checking that a digital signature is valid (Peisert et al,2021). From cybersecurity professional Mohammad Mannan's perspective, security products should not harm and should be designed with failure in mind identical to the scrutiny placed on the development of medicines.…”

“…From cybersecurity professional Mohammad Mannan's perspective, security products should not harm and should be designed with failure in mind identical to the scrutiny placed on the development of medicines. (Peisert et al,2021) In another observation, James Bret Michael indicated that although precautionary measures must be applied in response to the SolarWinds attack, overreaction by governments could have a profoundly negative effect on global innovation (Peisert et al, 2021). Therefore, new approaches to security should be explored "in the near-(e.g., cloud hypervisors pushing security rather than individual customers patching or not), mid-(e.g., zero-trust, or something like it), and long-term (e.g., quantumbased approaches)" (Peisert et al, 2021).…”

Enterprise Risk Management Post Solar Winds Hack

“…Members of the IEEE Security & Privacy editorial board described the attack as the result of inadequate cyber defenses, an exploit of insiders, and an exploit of privileges in the software supply chains (Peisert et al, 2021). These professionals pointed out several revelations about the attack including that: network management software is not secure, adding more tools does not add enhanced security, security procedures are designed for first-party software, and that software supply-chain attacks are as important as,if not more importanthan hardware supply-chain attacks (Peisert et al, 2021). They also stated that although combining software code and libraries from various sources may be a good approach for developing tools quickly and inexpensively; it may not be quite as effective with regard to developing tools securely.…”

“…They also stated that although combining software code and libraries from various sources may be a good approach for developing tools quickly and inexpensively; it may not be quite as effective with regard to developing tools securely. (Peisert et al, 2021).…”

“…Bruce Schneier, a cybersecurity professional, stated that the software that is managing our critical networks is not secure because the market does not reward security . Hamed Okhravi, another cybersecurity professional, indicated that with every new tool, while it might reduce parts of the attack surface, it also adds a new attack surface: vulnerabilities within the tool itself become a new possible vector of compromise for the system (Peisert et al, 2021). A system can likely become more secure by removing its unnecessary services, libraries, and features, to shrink its attack surface.…”

“…A system can likely become more secure by removing its unnecessary services, libraries, and features, to shrink its attack surface. (Peisert et al, 2021) Carl Landwehr, another professional, offered that a possibility for preventing such attacks might be to develop tools that would help consumers of updates assess their security more deeply than merely checking that a digital signature is valid (Peisert et al,2021). From cybersecurity professional Mohammad Mannan's perspective, security products should not harm and should be designed with failure in mind identical to the scrutiny placed on the development of medicines.…”

“…From cybersecurity professional Mohammad Mannan's perspective, security products should not harm and should be designed with failure in mind identical to the scrutiny placed on the development of medicines. (Peisert et al,2021) In another observation, James Bret Michael indicated that although precautionary measures must be applied in response to the SolarWinds attack, overreaction by governments could have a profoundly negative effect on global innovation (Peisert et al, 2021). Therefore, new approaches to security should be explored "in the near-(e.g., cloud hypervisors pushing security rather than individual customers patching or not), mid-(e.g., zero-trust, or something like it), and long-term (e.g., quantumbased approaches)" (Peisert et al, 2021).…”

Enterprise Risk Management Post Solar Winds Hack

Aspects of resilience for smart manufacturing systems

SolarWinds Software Supply Chain Security: Better Protection with Enforced Policies and Technologies