SUNBURST still reverberates as SolarWinds CISO Timothy Brown co-defends SEC lawsuit.

One of the worst security incidents ever is the subject of legal action by the U.S. Securities and Exchange Commission. The agency alleges SolarWinds and its chief information security officer ignored repeated warnings about its insecure software, misleading investors by concealing the facts.

Brown and company deny wrongdoing. In today’s SB Blogwatch, we criticize both sides (but not the intern).

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Take the Soul Power back.

The Password was solarwinds123

What’s the craic? Chris Prentice, Jonathan Stempel and Raphael Satter report—“SEC sues SolarWinds for concealing cyber risks”:

“I want to throw up”
The [SEC] sued software company SolarWinds Corp. … and its top information security executive, saying they defrauded investors by hiding cybersecurity weaknesses during a massive hack. [It] accused SolarWinds and Timothy Brown, [the] CISO, with repeatedly violating U.S. securities laws by concealing vulnerabilities and cyber events in regulatory filings and other company statements.
…
SolarWinds, based in Austin, Texas, slammed the regulator’s “overreach” and pledged to fight the charges in court. It said the charges were “unfounded.” … Alec Koch, a lawyer for Brown, said his client performed his job with “diligence, integrity and distinction.”
…
Authorities said Brown internally discussed known risks and vulnerabilities but painted a starkly different portrayal to the public, even as customers including a federal agency alerted SolarWinds to malicious activity. … According to the SEC, the problems prompted one SolarWinds employee to say in October 2020: “We’re so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up.”

More detail, please? Jonathan Greig obliges—“SEC charges SolarWinds CISO with fraud”:

“A very vulnerable state”
The complaint … centers on violations of the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. … The SEC said between its October 2018 initial public offering through at least its December 2020 announcement of the hack, SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
…
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company. … Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment,” … said Gurbir Grewal, director of the SEC’s Division of Enforcement.
…
According to the SEC, internal reports shared with Brown said SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the issues “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. The SEC said it has evidence that presentations by Brown in both 2018 and 2019 said the “current state of security leaves us in a very vulnerable state.”

What does the company have to say for itself? Replacement CEO Sudhakar Ramakrishna firmly defends the firm—“We Must Not Risk Our Progress”:

“Evolving industry standards”
When I joined SolarWinds just days after the company learned of SUNBURST, my immediate focus was supporting our customers as we quickly contained, remediated, and eradicated the issue. … How we responded to SUNBURST is exactly what the U.S. government seeks to encourage. So, it is alarming that the … sSEC has now filed what we believe is a misguided and improper enforcement action.
…
SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards. … The actions we have taken over the last two and half years motivate us to stay the course and to push back against any efforts that will make our customers and our industry less secure.

The SEC is suing for vulns now? That’s not the point, says blakesterz, who has this neat summary of the allegations against Mister Brown:

If I’m reading that right, he knew things were “not very secure.” And part of his role was to disclose that. And he didn’t.

But did he know? Just because a single employee told him? Frank Bitterlich thinks that’s irrelevant:

There clearly was a security problem, which they didn’t recognize, understand, or detect. So the warnings of that individual were accurate. If the C-suite declares the company and products “secure” and they are not, they will take the heat for it.

Is that fair, though? Here’s a slightly sweary u/rake-alert:

If you go around in any organization and find some random subordinate … you’ll always have one or two who will without fail tell you “we’re ****ed up” from a cybersecurity perspective. … If you want to go looking for skeletons in closets, then boy do I have some news for you.
…
Nobody can fully communicate or put into words how much risk there is. Everyone got caught skinny dipping when the tide went out.
…
All this is going to do is make a chilling effect in industry. … Everything off the record because apparently doing your job is going to straight up **** you.

So it boils down to transparency? sheph calls it as they see it:

After Sunburst happened, I went to download … Orion and it had the same version number but the hash was different from the week before. They were quietly fixing things in the background and not letting anyone know. I understand the desire to protect the company, and shareholder value [but] trying to cover things up just makes it worse. It came out later on that they were compromised for at least a year. … So it’s not really a surprise to me that the SEC is taking this stance.

Wait. Pause. Is Brown really a “CISO”? PumpkinSpice elaborates thuswise:

In most public companies, CISOs are not “real” C-level positions. They’re not considered “directors and officers” of the company in the sense of the securities law. … “Directors and officers” are a special legal category, basically the highest-ranking people making material decisions about the business.
…
They are subject to special reporting requirements, such as having to file paperwork whenever selling or buying stock. … We’re talking about the CEO, CFO, CTO, and so on. This is … completely separate from the “director” job level at a typical tech company, which is basically just a senior manager of a large team or maybe the lead of a mid-size department. Your average CISO is probably in this ballpark, commonly at least 2-3 reporting levels below real C-leadership.
…
The SEC wants to change this culture and have a designated person meaningfully responsible for infosec risk. … I’m betting that just like in the case of Uber, the CISO will end up in trouble, while all the execs will get to claim ignorance and walk free.

Lest we forget, there were some really fundamental problems with Orion. As coofercat recalls:

SolarWinds software was a security nightmare from top to bottom. To install the client agent, the “recommended” method was to give the Orion server the root password to the client — it would then log on and do who-knows-what to install the agent. You could then go change the root password, but it wouldn’t have any real effect because the agent ran as root. The server had command-and-control and an “open a shell” feature where you could get a root shell on any client device. It also had the means to deploy arbitrary code and execute [it].
…
You couldn’t even have a proper compliance audit of what the agent had done to your system, much less lock it down with configuration management. [But] that would have made almost no difference, given it had root access and arbitrary code execution abilities.
…
The SEC case is … about things [SolarWinds] officially told the markets about their internal processes and capabilities — nothing more. [It] is nothing to do with this braindead implementation. … It’s only to do with the things they told the market about it.

Meanwhile, u/glitterallytheworst heard something drop:

Oh hey, there’s the other shoe.

And Finally:

Rage van Brown

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: NASA