By now, most of the general population has heard the words “hack” and “SolarWinds” at least once as they’ve turned on the evening news. There is a great deal of information circulating about this recent cyber attack, but even after expert analysis and forensics, there’s much we don’t know.
SolarWinds: An Overview
As a quick debrief, what we do know is a foreign entity was able to infiltrate the software monitoring provider, SolarWinds. SolarWinds has been a leading player in the cyber security space for some time and provides one of the most prevalent security packages that exists for large companies and government agencies. Roughly 90 percent of Fortune 500 companies run SolarWinds software, as well as several U.S. federal agencies, giving it access to some of the most sensitive and important information in the country – requiring top-notch security and controls to keep this information safe.
In this instance, hackers used unique new tools that were able to go vastly undetected. By embedding malicious code into the patch of the latest SolarWinds Orion software update, as well as utilizing additional domains and other “backdoors,” hackers were able to gain administrative access to various systems within SolarWinds’ client base. Though SolarWinds and the companies it services have security measures in place, the way this attack was executed negated the typical protocols. To assess most threats, security professionals will use Indicators of Compromise (IOCs); but in this case, IOCs would have been unable to detect the bad domains implemented by these hackers. And worst of all, the latest reports indicate hackers were infiltrating the systems of major corporations and government agencies as early as August 2019.
The Third Party Factor
While many of the organizations attacked are not directly in the commercial real estate space, that’s not to say we in this industry should become complacent. An attack of this nature could happen to anyone at any time – and as we have learned, it did. Much of the media coverage and reporting on this attack are referring to it as a supply chain attack – meaning the foreign entity was targeting agencies and organizations linked to the federal supply chain. Supply chain sounds very industrial (and in some cases with the federal government, it is), but it’s really a third party attack. These federal agencies, corporations and those of us in the commercial real estate sector rely on third parties to provide a variety of services – from IT and cyber security to marketing and more. As the number of digital solutions we deploy increases, so does the threat landscape. And if the third parties a business depends on are compromised, the business itself is compromised, which is likely what has happened in our industry from this attack.
Thinking about this presents a very frightening scenario – as it should for anyone concerned about their cyber security. More often than not, IT and cyber security at organizations are understaffed and underfunded – particularly when budget season rolls around. However, there is a bright side to this situation (which may be hard to believe, but is true). There are valuable lessons to be learned and new tactics to implement across the commercial real estate practice to become more proactive and ensure systems and information are as safe as possible, regardless of the number of employees or budget dollars available.