The last few months have been crazy when it comes to cybersecurity. It started with the SolarWinds Orion security breach. The software used by a vast majority of enterprise customers in the world was altered to include a malicious payload. This altered version was then disseminated to the world through SolarWinds update servers.
The initial guidance of many in the information security community, including the US-CERT, was to immediately shut down all SolarWinds Orion servers and leave them off. This was the right thing to do at the time.
This week the town of Oldsmar, Florida was targeted by a bad actor that gained access to their water treatment plant’s SCADA system. The actor used TeamViewer to remotely control the SCADA control PC. While doing so they increased the amount of Sodium Hydroxide (lye) put into the treated water. The amount would have poisoned the town’s water supply. Thankfully the operator on duty noticed the change and corrected it quickly.
The details of this attack aren’t yet fully known, but it is reported that the TeamViewer installed on the machine was using a simple username and password combination without MFA. This is a common, albeit insecure, configuration of the TeamViewer software. My speculation is that there will be more details coming out that will indicate a chain of events, probably including a compromise of a third party that used TeamViewer to support the SCADA system.
In both of these attacks, the response has been quick to vilify the software used. In TeamViewer’s case, it’s always been targeted by cybersecurity teams as a problem, but it’s one of those applications that seem to be ubiquitous in most environments. Mostly this is because it is easy to use and is used by many organizations to support their customers.
I hold the potentially unpopular opinion that we can’t always just say throw it out. Cybersecurity is a spectrum between secure systems and allowing business processes to function. We can make a completely secure system by powering it off, encasing it in concrete, and dumping it into the Marianas Trench, but that system isn’t able to support the business. Likewise, we could remove all barriers to the business being able to do their work, but this would quickly lead to a massive breach.
Even if every instance of SolarWinds and TeamViewer is eliminated from a corporate network, the needs that they filled will still exist. Instead of SolarWinds maybe they will use PRTG or another competitor. TeamViewer might be replaced with a competitor like LogMeIn. In either case the replacement could be just as vulnerable as the original. It’s not possible to say to the business that they have to just not fill these roles. Monitoring systems and remote access for support are both needed to maintain business processes.
A worse prospect is that by blocking tools, the business will circumvent security and IT all together. Shadow IT is worse than any application. It’s better to know what is being run. At least then you can put controls around the application.
Breaches make great headlines. IT professionals though should take the time to make reasonable decisions about long term responses though. Proper procedures, controls, and audits are the way to go. No network is completely secure. In fact, we need to assume that EVERY network will be compromised. Our job is to minimize the damage. My company has an internal motto of “Negative One Trust” in all that we do. Zero Trust is possible and should be the goal. Yes it’s painful at times to implement, but the benefits out pace that pain.
Look at your traffic, north-south and east-west. Should your SolarWinds server be talking directly to an external DNS server? Should those DNS packets contain data that’s not DNS? We have to look for the anomalies and block them. The days of trusting all traffic from our internal hosts is past. We must trust but verify!