The theme of this week’s stories: Passwords may have started it all. In testimony last Friday, former SolarWinds CEO Kevin Thompson said the password issue was “a mistake that an intern made.” “They violated our password policies, and they posted that password on an internal, on their own private GitHub account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”
Infosec professionals focus on how blaming an intern ignores the true problem – things like insufficient credentials policies and access management practices. They say this suggests an organization with systematic security issues, an ineffective security management system, and a lack of technical controls. Of course, blaming the intern – who worked there three months in 2017 – ignores the two and a half years the password was in place.
And, the SEC is now investigating SolarWinds over the insider stock trades. The largest investors in the company sold $315 million in shares days before the hack was revealed. Now, the SEC is looking into private equity firms Silver Lake and Thoma Bravo on those sales.
This week, FBI Director Christopher Wray hinted that a long, extended federal response, and indicated it would best be done in a classified setting. The CISA’s acting director says the cleanup of the US government will take from a year to 18 months. Finally, the Government Acountability office has released their biennial report about government programs at risk. It highlights that none of the 23 agencies reviewed have implemented best practice for identifying and mitigating risks with IT.
FireEye’s CEO, in an interview over the weekend with Axios, is notable with this quote. The next conflict where the gloves come off in cyber, the American citizen will be dragged into it, whether they want to be or not. Period. Apps won’t work. Appliances may not work. People don’t even know all the things they depend on. All of a sudden, the supply chain starts getting disrupted because computers don’t work.”
Why do we care?
There’s an idea in comedy. Always punch up, never punch down. Don’t attack those who have less power than you do. Poor leadership is blaming your least powerful. An intern? The most powerful person at the company just blamed what could easily be said is the weakest.
You should take a leadership lesson here – this is very, very poor leadership. The former CEO blaming an intern looks bad. If your system is so bad an intern can open this exposure, you have a problem. But take away that leadership lesson. You punch down and blame what could easily be said to be the least powerful person in your organization… it’s not a good look. It’s a lot more telling about the situation than anything else I could highlight here.