By now everyone has seen in the news the major Supply Chain Attack against Solar Winds. If so feel free to skip this and jump to the next paragraph, If not a very high level summary is as follows: Originally accredited to the Russian hacking group ATP29 (however questions been recently raised on accuracy of that allegation) Solar Winds was breached in early March and source code was edited without their knowledge. Solar Winds approved the changes, signed the code with their certificate validating it and pushed it to production making it available to all customers. All code released between March and June 2020 had been maliciously altered.
The breach came to light on Sunday Dec 13 after the sophisticated malicious group attacked the security vendor FireEye Mandiant, who was able to track the entry point in their network to a Trojan backdoor in the Solar Winds Orion product. That was a very brief, obviously a lot more packed in to the entire scenario, but the point is what follows.
Like many security vendors Solar Winds likes to brag about who they provide services to. Currently removed due to the obvious above, but this was a screenshot of the customer page of SolarWinds.com on December 12.
Cut to the point: If your organizations name is listed on a website with a known major vulnerability you’ve automatically become a target. Minimizing OSINT is important! OSINT (Open Source Intelligence) is information that can be gathered by anyone with a little time and effort. As employees or as IT Professionals we need to be mindful of what is posted online in relation to your place of work and more specifically Org IT, infrastructures and controls. Where this sharing is not be done with malicious intent, it can be damaging to the Organization in the hands of the wrong individual.
Example: I post on my linked in that I’m an expert in securing Apache 2.2 running in a server 2008 environment. Reason for posting is to demonstrate a skill-set of securing old software on old out of support servers. Where intent is innocent, any attacker interested in attacking your Org would have a hay day knowing there is an old vulnerable web server sitting on our network, potentially open to the world.
Some questions to ask yourself:
What do you post on Twitter, Facebook, Instagram and the tik tok etc?
What does your LinkedIn profile say about you, more importantly about your Orgs software that’s run?
General rules of thumb:
- Whenever a new software purchase is made make it a point to opt out of the software vendor adding your companies logo / name to their customer list on their website
- Don’t discuss the products you use with competing vendors unless there is an absolute need to know, keep your cards close to your chest
- Never post an employee badge pic online
- Never post information specific to a system
- This is a harder one, if we are hiring a Fortinet admin there is no way around posting a job listing without Fortinet info. In that instance keep it general, no version numbers, no specifics on modules that are run
- Never post pictures of your laptop which will again display software used
- Never post pictures of infrastructure, Data Centers etc
Keep OSINT top of mind and always remember…