Wed | Jun 23, 2021 | 11:59 AM PDT

As investigations into the SolarWinds cyber incident continue, more information is becoming publicly available. 

We are slowly getting a better understanding of what happened and learning how to better protect ourselves from a breach like this in the future.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently wrote a letter to Senator Ron Wyden, responding to some questions he previously asked the Agency regarding the SolarWinds breach.

CISA mentions that firewalls could have been used to neutralize the malware, limiting the impact of the breach.

Senator Wyden questions CISA on SolarWinds

Here is one of the questions from the senator on how firewalls could have been used:

"SolarWinds' CEO informed my office in a recent briefing that there was no need to permit servers running SolarWinds' Orion software to connect to any unknown server on the internet and that the functionality provided by allowing the SolarWinds Orion software to contact solarwinds.com was limited. Does CISA agree that the SolarWinds malware could have been neutralized had victim agencies placed firewalls in front of the servers running SolarWinds Orion and configured them to block outgoing connections to the internet?"

And the subsequent response from CISA:

"CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware. While CISA did observe victim networks with this configuration that successfully blocked connection attempts and had no follow-on exploitation, the effectiveness of this preventative measure is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies."

While this would have neutralized the attack, CISA cannot require agencies to do so.

"It would be impractical for CISA to direct individual agencies to adopt specific network and device configurations on a broad scale, particularly given the unique operational requirements of each agency. However, CISA is continuously evaluating opportunities to use binding operational directives or other authorities to drive
appropriate security measures, including to adopt risk-based configuration practices."

Network segmentation in cyber defense

At SecureWorld's virtual conferences, security leaders often talk about network segmentation as a key part of cyber defense, limiting the movement of hackers within a network.

Wyden asked CISA about this, and their statement seems to align with that thinking.

"CISA has long recommended that agencies segment and segregate their internal networks, which makes it more difficult for intruders to move around and gain access to an organization's most sensitive information. What percentage of federal agencies subject to CISA's cybersecurity authority have implemented this advice?

CISA does not presently have data regarding the percentage of agencies that have segmented and segregated their internal networks. CISA continues to develop and promulgate guidance to encourage network segmentation, including to drive adoption of
zero trust architectures."

To learn more about the SolarWinds breach, the response, and the questions from Senator Wyden, read CISA's response letter.

Comments