We all asked the same question. How could Russian hackers have breached U.S. government agencies’ information systems? The answer is, they simply jiggled the door handles and checked for open windows, the way a burglar might do to get into your home.
In this case, the bathroom window they came through was a software update from a vendor called SolarWinds. Many federal agencies and thousands of law firms and companies worldwide use SolarWinds’ Orion software to monitor their computer networks.
Almost 18,000 government agencies and businesses including law firms and IT providers, received the tainted software update from Orion between March and June of 2020.
Hackers hunting for credit card numbers, social security numbers, intellectual property, and wire transfers of money to intercept are jiggling your doors and checking your windows as well.
WHO LEFT THE WINDOW OPEN?
The bathroom window was left open by SolarWinds, the vendor. The Russians entered through the vendor’s automatic updates.
When you check the box allowing a software vendor to apply updates through patches automatically, you’re trusting that those updates were vetted and tested.
The takeaway is that you need to be assessing the vendors and the companies with whom your law firm does business. Even with Microsoft, for example, if you check the box for Microsoft to apply all the security updates automatically, you’re trusting that the vendor being accessed through Microsoft was vetted and tested, and that those patches are legitimate, authorized, and clean.
When you buy antivirus software, you’re trusting that the vendor will supply you with updates and continuous protection that is safe. That may not be the case, so you still need to have proper security layers in place before you check the box and allow them to apply updates automatically.
HOW DO YOU CLOSE THE BATHROOM WINDOW?
In my last column, I discussed how your firm or your clients would be required to have Cybersecurity Maturity Model Certification (CMMC) to do business with the U.S. Department of Defense.
To gain CMMC, you must have an accredited CMMC third-party assessor organization (C3PAO) do an assessment on your premises.
There are five CMMC levels. I recommend that law firms get accredited for level 3 or higher. At this level, you would have policies and procedures in place to protect the organization, 110 mapped security controls along with 2 forms of supporting evidence for each. If you don’t currently have a system security plan (SSP), you are at high risk and would immediately fail a NIST 800-171/CMMC Audit.
If you are not a techie, you most likely have someone on your staff who handles your IT or you outsource your IT services. I strongly recommend that you visit the cmmcab.org to enlist a CMMC certified registered practitioner (RP) like PTG to start the process of getting CMMC level 3 compliant. Don’t wait. You need to show proof and an ongoing evidence trail.
Level 3 would add many layers of cybersecurity protection. It may seem like overkill for a small or medium-size law firm, but it really isn’t. If your law firm or client is dealing with anything sensitive, it should be level 3 or higher. It is not foolproof, so it has to be tested regularly because hackers are always developing new methods to steal valuable information.
How much will it cost to get to level 3? The answer is…wait for it…it depends. It will depend on what cybersecurity and procedures you already have in place. If you don’t currently have much in place, it’s more expensive. PTG can help you identify what you have in place and what you’ll need to get certified at level 3.
If government agencies, law firms, and businesses had that layer of cybersecurity, the bathroom window and all the other windows and doors would have been locked and likely would not have been breached.