SolarWinds and its CISO have been accused by the U.S. Securities and Exchange Commission (SEC) with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities relating to the compromise of its Orion software update mechanism in 2020.<\/p>\n
\u201cWe allege that, for years, SolarWinds and [chief information and security officer Timothy] Brown ignored repeated red flags about SolarWinds\u2019 cyber risks, which were well known throughout the company and led one of Brown\u2019s subordinates to conclude: \u2018We\u2019re so far from being a security minded company,\u2019\u201d Gurbir Grewal, director of the SEC\u2019s division of enforcement, said in a statement.<\/p>\n
\u201cRather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company\u2019s cyber controls environment, thereby depriving investors of accurate material information. Today\u2019s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company\u2019s \u2018crown jewel\u2019 assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.\u201d<\/p>\n
Exploiting an opportunity, a Russian-based group some researchers call Nobelium was able to infect an Orion update that could have been downloaded by 18,000 customers. SolarWinds maintains<\/a> that fewer than 100 organizations installed the infected update and then were themselves hacked. Those organizations included U.S. government departments.<\/p>\n In its statement Monday, the SEC alleged that from at least its October 2018 initial public share offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed \u201cSUNBURST,\u201d SolarWinds and Brown defrauded investors by overstating SolarWinds\u2019 cybersecurity practices and understating or failing to disclose known risks.<\/p>\n In its filings with the SEC during this period, the regulator said, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds\u2019 cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.<\/p>\n SolarWinds\u2019 public statements about its cybersecurity practices and risks were allegedly at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds\u2019 remote access set-up was \u201cnot very secure\u201d and that someone exploiting the vulnerability \u201ccan basically do whatever without us detecting it until it\u2019s too late,\u201d which could lead to \u201cmajor reputation and financial loss\u201d for SolarWinds.<\/p>\n Similarly, the SEC alleges, 2018 and 2019 presentations by Brown stated, respectively, that the \u201ccurrent state of security leaves us in a very vulnerable state for our critical assets\u201d and that \u201c[a]ccess and privilege to critical systems\/data is inappropriate.\u201d<\/p>\n Multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company\u2019s ability to protect its critical assets from cyberattacks, the SEC complaint alleges. For example, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was \u201cvery concerning\u201d that the attacker may have been looking to use SolarWinds\u2019 Orion software in larger attacks because \u201cour backends are not that resilient,\u201d and a September 2020 internal document shared with Brown and others stated, \u201cthe volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.\u201d<\/p>\n The SEC\u2019s complaint alleges that Brown was aware of SolarWinds\u2019 cybersecurity risks and vulnerabilities, but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.<\/p>\n The SEC alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; that SolarWinds violated reporting and internal controls provisions of the Exchange Act; and that Brown aided and abetted the company\u2019s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.<\/p>\n The charges are allegations that have not been proven in court.<\/p>\n In a statement<\/a>, SolarWinds CEO Sudhakar Ramakrishna said it \u201cis alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.<\/p>\n \u201cThe truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.\u201d<\/p>\n The post SolarWinds allegedly misled public on its security before Sunburst cyberattack: SEC<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Regulator alleges company painted a false picture of its cyber controls; SolarWinds CEO calls charges<\/p>\n","protected":false},"author":17,"featured_media":20696,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[355,16],"tags":[391,120,275],"class_list":["post-42519","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal","category-security","tag-di","tag-solarwinds","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/42519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=42519"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/42519\/revisions"}],"predecessor-version":[{"id":42686,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/42519\/revisions\/42686"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20696"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=42519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=42519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=42519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}RELATED CONTENT: SolarWinds to pay US$26 million over Orion compromise<\/a><\/h4>\n
RELATED CONTENT: How the attackers concealed their movements<\/a><\/h4>\n
RELATED CONTENT: More malware involved, new backdoor found<\/a><\/h4>\n