As an organization that specializes in cybersecurity, SolarWinds did a particularly poor job of protecting their file server. This is evident by the fact that not only did they give an intern login credentials that allowed access to their servers, but the password they chose to protect the server was something a child could guess, ‘solarwinds123.’ More details on the SolarWinds hack, and how it could have been avoided are discussed.

What Caused the SolarWinds Hack?

SolarWinds has chosen to use an intern as their scapegoat, claiming that the intern accidentally made the password available publicly by posting it to their private GitHub account, therefore violating SolarWinds’ password policies. In November 2019, SolarWinds was made aware of the exposed login credentials by an independent security researcher, informing the company that the exposed password allowed unauthorized individuals to upload code to the company’s server. 

SolarWinds Hack

Upon investigating the leak, it became evident that the password had been publicly available since June 2018, giving hackers plenty of time to corrupt their systems, which they did. The investigation also uncovered that hackers hid malicious code in SolarWinds’ software update which was pushed out to 18,000 customers, including several healthcare organizations and federal agencies. The SolarWinds hack was so widespread that a joint hearing, by the House Oversight and Homeland Security committees, is investigating the company.

How the SolarWinds Hack Could Have Been Avoided

Although SolarWinds claimed that an intern violated their password policies, there are several ways in which the SolarWinds hack could have been avoided.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

Strong Passwords.

First of all, SolarWinds should have never been using such a simplistic password to protect their servers. In fact, the National Institute of Standards and Technology (NIST) specifically advises against using a password that includes the name of a company.

NIST password guidelines include:

  • Passwords must be a minimum of eight (8) characters in length, and a maximum length of at least 64 characters
  • Passwords may contain special characters (i.e., “!”, “@”), but use of special characters is not required
  • Passwords may contain spaces, but use of passwords with spaces is not required 
  • Passwords should not contain the following:
    • Sequential and repetitive characters (i.e., 12345 or aaaaa)
    • Context-specific information (i.e., the name or address of the worksite)
    • Commonly used words (i.e., p@ssw0rd)
    • Dictionary words (i.e., doctor)
  • Passwords obtained from previous security breaches should not be used

Access Controls.

Secondly, the intern should not have had access to the login credentials that gave them access to the servers. Access controls provide each employee with unique login credentials to access data. They also establish designations for what type of data access each employee requires to perform their job function. Had SolarWinds implemented access controls, the intern would have never had access to the login credentials that caused the leak.

Employee Training.

Lastly, although SolarWinds may have trained the intern, the training was not sufficient. Any employee that has the potential to access protected health information (PHI), must receive HIPAA training and cybersecurity best practices training. Adequate employee training would have taught the intern that they should not post company passwords to their private accounts, including GitHub.