Monthly Archives: December 2020

Christmas Day 2020

I am a Christian, and this is a day given us for remembering Christ, and my comments will be on that wise. No offense taken by me if you want to pass over them, I wish everyone well on this day.

As I ponder my faith in Jesus Christ and my hope of a resurrection, I consider that in spite of conditions on earth – and, be warned, things in general are going to get much worse before things in general start getting better – I always have a covenant with my Heavenly Father that can be of good use to me because of the atonement of Jesus Christ, the only begotten son of our Heavenly Father. Without that atonement, I am lost. With it, I am claimed and can work out my salvation with fear and trembling, but work it out all the same.

Christmas day is not just a day to consider the birth of the Savior, it is a day also for contemplating his atonement, death, and resurrection, which resurrection is promised to all as a precursor to judgment. And it will be Jesus Christ who will be my advocate with the Father: if I am worthy, and repentant, and one who has done good in remembering the poor, the sick, the homeless, the afflicted, all my brothers and sisters… if I have been able to lay aside my sins and return to them no more, I will have done what I can to honor my covenants, and that gives me hope of returning to the presence of my Heavenly Father.

Life is hard and will get harder, especially the older I become. Winter approaches, I can feel it in my muscles and bones. But there is a Spring to follow that Winter. Even if I have been too sinful to see the earliest days of that Spring, I can nevertheless repent, strive to do good, and humble myself so that I have a hope of seeing those Spring days yet to come. That hope arises out of my faith in my Lord and Savior, Jesus Christ.

So today is a day given unto me to think on that matter, and these are my thoughts. I wish everyone well on this day.

What the SolarWinds Breach Teaches Us

First off, the Russian hacking of SolarWinds to get its cyber eyes and ears inside of sensitive US installations is not an act of war. It’s an extremely successful spy operation, not an attack meant to force the USA to do something against its will.

Next off, if not SolarWinds, then it would have been some other piece of software. The Russians were determined to compromise a tool that was commonly used, and that was the one they found a way in on. Had SolarWinds been too difficult to crack, then the Russians would have shifted efforts to an easier target. That’s how it goes in security.

So the lessons learned are stark and confronting:

  1. We can no longer take for granted that software publishers are presenting us with clean code. In my line of work, I’ve already seen other apps from software vendors with malware baked into them, but which are also whitelisted as permissible apps. SolarWinds is the biggest such vendor thus far, but there are others out there that contain evil in them. We have to put layers around our systems to ensure that they don’t start talking to endpoints that they have no business talking to, or that they don’t start chains of communication that eventually send sensitive data outside.
  2. The firewall is not enough. Neither is the IPS. Or the proxy server. The malware in SolarWinds included code to randomize the intervals used for sending data and the data was sent to IP addresses in-country, so all those geolocation filters did not have an impact in this case. We need to look at internal communications and flag on whenever a user account is being used to access a resource it really shouldn’t be accessing, like an account from HR trying to reach a payroll server.
  3. Software development needs to reduce its speed and drive forward more safely than it is currently. I know how malware gets into some packages: a developer needs to meet a deadline, so instead of writing the code from scratch, a code snippet posted somewhere finds its way into the software. Well, that code snippet should have been looked at more carefully, because that’s what the malware developers put out there so that time-crunched in-house developers would grab it and use it and make the job of spreading malware that much easier.

    Malware can also get in through bad code that allows external hooks, but there’s nothing to compare with a rushed – or lazy – developer actually putting the malware into the app that’s going to be signed, sealed, and whitelisted at customer sites.
  4. That extended development cycle to give breathing space for in-house developers needs to be further telescoped to do better penetration testing of the application so that we can be sure that not only do we not have malware baked in, we also don’t have vulnerable code baked in, either.

Those last two are what will start to eat into revenue and profits for development teams. But it’s something we must do in order to survive – constant focus on short-term gains is a guarantee to remaining insecure. We may need to take another look at how we do accounting so that we can have a financial system that allows us the room we need in order to be more secure from the onset. Because, right now, security is a cost and current accounting practices give incentives to eliminate costs. We can’t afford to make profits that way.