Large Number of Vendors Reported Using SolarWinds: Have you asked the right questions?
In December 2020 when SolarWinds, a company that makes network monitoring software, reported SolarWinds Orion products had been corrupted with malware, United States federal agencies and organizations scrambled to measure any potential exposure. Privva’s clients, however, were able to quickly distribute a breach impact survey to their third-party vendors to determine their potential exposure. The survey was sent out to 1,000+ vendors and immediate responses were received allowing our clients to immediately focus their attention on where they were impacted. 25% of these vendors have reported that they have SolarWinds related products. By assessing their third-party vendors, Privva has allowed their clients to have a tangible understanding of how the breach has impacted their organization.
If you have not yet assessed your third-party vendors, then it is time you take advantage of a vendor risk management program. The SolarWinds Orion breach is only getting worse and it has affected far more networks than originally believed. Hackers have gained access to 250 federal agencies and organizations’ networks. The impact continues to expand as the US Cybersecurity and Infrastructure Security Agency required all United States federal agencies to update their software to the 2020.2.1HF2 version because new vulnerabilities were found. The initial vulnerability, codenamed Sunburst, was a code hidden in a software update. Now, the newest malware vulnerabilities, Supernova and CosmicGale, could allow a remote attacker to execute API commands.
With more attacks discovered and more organizations being impacted by the breach, it becomes apparent how important it is to have a vendor risk management program in place. While no organization is immune to risks and vulnerabilities, vendor risk management programs can help organizations assess their vendors yearly and help them be quick to react to emerging vulnerabilities. When organizations are assessing their vendors yearly, it allows them to have a defined outline of the risks their third-party vendors could potentially impose on their organization and allows organizations to select third parties that don’t impose certain risks. To find out more how you can optimize your vendor risk management program and survey your vendors to determine the impact of the SolarWinds Orion breach please contact us at firstname.lastname@example.org.
For continued updates on the SolarWinds Orion breach please visit https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software.
Disclaimer: Data is estimated based on communication with enterprise partners and not validated by Privva.