It looks like a nation-state attacker found a loophole and hacked its way into US government computers. While the damage is still being assessed, startups can learn lessons right now from the cyber-attack.
Group Think Is Fail Think
“Everyone is using this software, it must be safe”. Famous last words. While sometimes there is safety in numbers, this is not the case when it comes to cybersecurity. Ignore the crowd and research protocols, software, policies, best practices and response techniques within your startup.
Imagine the US government agency CISOs who said, “50 other government agencies are using SolarWinds, we’ll be fine.”
Once you decide to skip group think and go against the grain, what can you do?
Run Your Own Penetration Tests
By not relying on what others do, your startup should run penetration tests on your system – especially 3rd party software and code. Don’t convince yourself that others already did it, and everything is probably fine. If you don’t have an in-house penetration test team, hire one.
Penetration tests are similar to live-fire military exercises. For those unfamiliar with the term, “pen testing” teams are “kosher hackers” who look for weaknesses within your system. They are the good guys who hack in order to breach your system. Perhaps a good penetration testing team would have found malware on external software within government agencies.
Beware of Your Supply Chain
As a startup, you always aspire to a sense of control; control over your computers, servers and everything that goes through your network. You probably have hired and trained an excellent team of programmers, DevOps engineers and QA testers. What they build is par excellence.
The Achilles’ Heel is in your supply chain. In this case, supply chain equals software and code that you inherit; stuff that you never built yourself.
In some cases, that means Windows 10. Did you know that Windows often grants excessive privileges to newly created users? Your admins may constantly create new users for different purposes. Are they checking privileges and over-riding over-reaching defaults?
In other cases, you need to use a software package in order to work with external vendors. In hacking, “lateral movement” is when a hacker or hacker group attacks a supply chain vendor, and then step-by-step makes their way into your system. The first attack may not be within your system – it likely originates outside of your network and originally created code.
From a hacker’s standpoint, there is a lot more ROI from breaching a massively-used supply chain system as opposed to attacking new code used on one system.
Limit Your Startup’s Exposure
Implement what you really need and not everything you want. Do you really need every single type of supply chain or communication software on your network? The less outside code you have, the less your startup is exposed.
Take a hard look at the outside software/SaaS systems in use and cross reference them with your startup’s essential needs. Every piece of external code that you remove is one less highway to your crown jewels.
Have Incident Response Ready-to-Go
Incident response teams are trained to handle hacking emergencies. They are the SWAT teams of cybercrime. A good incident response team can mitigate a cyber attack within hours or days, as opposed to an untrained team which can take weeks.
When it comes to cyber attacks, time isn’t only money, time is security.