Shownotes
Welcome to Razorwire, the podcast where we cut through the noise to bring you incisive discussions on all things cybersecurity. I'm your host, Jim, and in today's episode, we delve into the SEC charges against SolarWinds CISO, a case that has sent shockwaves through the infosec community.
In this episode, our guests Iain Pye and Chris Dawson discuss the hype surrounding the trial, its impact on the infosec community, and the potential consequences for all Chief Information Security Officers (CISOs).
We also explore the uncertainties surrounding the CISO's responsibilities and actions within the organisation regarding addressing security vulnerabilities, as well as the potential implications of the SEC ruling on CISOs' risk aversion and self-interest.
Lastly, we talk about the dynamics of security compliance certifications and the potential manipulation involved in obtaining them.
If you're a cybersecurity professional, join us as we dissect the complexities of CISO responsibilities, the SEC's pursuit of individuals over organisations, and the implications of legal actions on the infosec landscape.
Tune in for an insightful discussion that will challenge your perspectives and keep you on the cutting-edge of cybersecurity issues.
"Companies are now telling victimised organisations not to produce an incident response report or similar or any type of report. Any such report should be delivered verbally or kept off any electronic or paper documents as much as possible as they could be subpoenaed in future lawsuits and may reveal that the company to be at fault."
Iain Pye
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we cover the following topics:
- The aftermath of the SEC charges against SolarWinds CISO and the debate surrounding the implications for the infosec community
- The challenges and potential issues surrounding auditors' understanding of risk management and cybersecurity processes
- Discussion of internal messaging about cybersecurity vulnerabilities within SolarWinds and potential misrepresentation of cybersecurity practices
- The impact of underfunding on information security departments and the challenges faced in training and securing environments
- The potential for individuals to whistleblow on security vulnerabilities and the SEC's regulatory role to hold organisations accountable
- The debate on the extent of the CISO's authority within the organisation and the support required from the board in addressing security vulnerabilities
- The potential impact of the SEC ruling on CISO decision making and the resulting risk averse behaviour
- The potential impact of pressure from insurance companies and the SEC's focus on shareholder rights and company ethics
- Suspicions of misrepresentation and potential manipulation in obtaining security compliance certifications and ISO audits
- The role of CEOs and senior management priorities in influencing cybersecurity practises and certifications
Resources Mentioned
- SEC (U.S. Securities and Exchange Commission)
- Cybersecurity certifications
- CISO (Chief Information Security Officer)
Other episodes you'll enjoy
The Use Of AI In Cybersecurity – Consultants Roundtable
https://www.razorthorn.com/the-use-of-ai-in-cybersecurity-consultants-roundtable/
Lessons from an InfoSec Icon: A Fireside Chat with PCI Guru Jeff Hall
https://www.razorthorn.com/lessons-from-an-infosec-icon-a-fireside-chat-with-pci-guru-jeff-hall/
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
Linkedin: Razorthorn Security
Youtube: Razorthorn Security
Twitter: @RazorThornLTD
Loved this episode? Leave us a review and rating here
All rights reserved. © Razorthorn Security LTD 2024
This podcast uses the following third-party services for analysis:
Chartable - https://chartable.com/privacy
Transcripts
Ian chris. Hello.
Chris Dawson [:Hello. Hi.
Jim [:So have you been keeping abreast of the situation, guys? What have you spotted? Obviously, there's the actual filing, there's stuff that's been going on on LinkedIn where there's been quite a bit of discussion and quite a few kind of comments that have been made, many of them valid.
Iain Pye [:Yeah, it's popcorn moment on LinkedIn, isn't it, really? With thoughts and random comments coming in, it's really interesting that, well, they've targeted for fraud, haven't they?
Jim [:So do you want to, for those out there that may not be aware and have been living under a rock or just don't utilize things like LinkedIn and the news? Ian, since you actually have done the homework and Chris has not, do you want to kind of summarize what's been going on?
Iain Pye [:Right, so the US Secretary's Exchange Commission, the SEC, has basically filed fraud charges against SolarWinds CISO. Not SolarWinds the company, but against the Chief information security officer. Essentially. This is from the Orion breach. If you all remember back then, the whole solar winds saga, where many of us professionals had to go and look at if we were ever affected by it. And essentially what they claimed was what Solar Windows claims was russian hackers basically got in backdoor and basically any updates that went out to organizations had a backdoor in for these Russian hackers. So it all extends from that, I believe.
Jim [:Just to add to this, the CEO did blame an intern, did they not?
Iain Pye [:It's almost the intern tim for everything.
Jim [:So he blamed an intern for releasing the password, the know, secure password that they used. I think it was on GitHub or something and everybody was kind of sat there going, what?
Chris Dawson [:So hang on, just let me get this straight because I've not been fully abreast of it. The CEO blamed an intern because that.
Iain Pye [:Internet to this yeah, I just want.
Chris Dawson [:To just jump on this quickly because the intern released or gave away voluntary or involuntary the highly secretive password for everything. In a nutshell, why on earth has the intern got access to that is my first question.
Iain Pye [:Well, free cheap.
Jim [: Two Three, was discovered in: Iain Pye [: tends from that that December: Jim [:Essentially just a few. Many of them government.
Iain Pye [: re the hack. So going back to: Iain Pye [: elivered that presentation in: Jim [:The SEC is financial. Yeah.
Iain Pye [:Regulate the Security Exchange Commission. So, yeah, I think if you're floated or on the Nasdaq and stuff, you kind of come under their umbrella, so to speak, like we do in the UK. For any UK listings, you come under the FCA.
Jim [:Well, I'm guessing a lot of customers who were affected were financial institutions as well. Let's face it.
Iain Pye [:80,000 customers.
Chris Dawson [:So in a nutshell they're doing him because fraud, he had a really shit password, but highlighted it and said, we haven't really got the best things in place here. Who did he highlight it to? Easy.
Iain Pye [:So that presentation where it says we're shocking, essentially internal to the board.
Jim [:One of the things we should be clear on here is that we're not fully sure of what the CISO did or didn't do in the capacity of his natural normal working day. There's every possibility that he highlighted some big strategic vulnerabilities to the C suite and he probably went through risk management and kind of assigned the relevant individuals or his team did, because let's face it, he's probably got a bit of a team behind him. But I'm guessing what's happened was they just went, I don't care about that. It happens quite often. Yeah, but seemingly the SEC are going after him to say, in general you had vulnerabilities and you didn't submit that information to the shareholders, which maybe I'm wrong here. It's not necessarily the CISO's job necessarily to traditionally do that, not to the shareholders at least. I mean, obviously if he is on the board, then he's part of that. He's responsible to the shareholders for the good running of the company.
Jim [:But I don't recall ever seeing in a kind of annual general meeting the section in there that goes risk management and vulnerabilities that we know about within the organization, such as really crap password policies.
Chris Dawson [:But if he knew about them, then surely that would be on the risks part when they push this to the board and say, here's our new identified risks, this is what we're doing to mitigate them and this is what we've already got in place. It's shit. This is what we're going to do to fix that problem.
Iain Pye [:That's one issue with the actual lawsuit that they brought to it. They don't actually pinpoint his complete involved, as Jim said, his complete involvement in it. Basically. They don't know whether how much sway he had with the board or at all. And that's probably that's the key point. It's like, well, did he have authority to change anything? Did it require board approval? Say, hey, we got these vulnerabilities, give me the budget to fix it, or is it no board? It dissolves responsibility to you to then go fix whatever you need to. Here's a budget.
Jim [:But this is the other thing I'm not clear on, which is obviously we're not too sure, I don't think, apart from maybe people at SolarWinds, obviously what the reporting hierarchy is for the CISO, do they report to the CTO? Are they part of the board? Where do they sit within the grand scheme of things? Because if you've got a CTO or Chief Information Officer or whoever, then it is well known that they tend to filter content from the security teams to create what I lovingly term as new Truth, where they take an old truth that is unpalatable and isn't sounding positive. And they go through the magical process of turning it into new truth where it's not as quite as bad as the old truth, but sounds eminently more positive than the old truth was. But it's still technically the same truth, and thus we term it as New Truth. Anybody who watches Monkey Dust will probably have seen that skit, but it is true because obviously politicians do it all the time.
Chris Dawson [:Yeah, you stick a spin doctor on it and say, right, okay, we know what we've done badly, we've got countermeasure, yeah. We've got all this in place and this is what we can do. But there has to be more to that. I know we're not going to know until it all comes out, but there has to be more because otherwise they wouldn't even try to surely they won't go down this route of trying to sue. If he could just go, oh, hang on a minute. Here is the 53 emails that I sent to my superiors and the board identifying this, and they said, don't worry about it.
Jim [:Yeah, but let's be fair here. Even if he did have those emails in his inbox when he was there, because he's no longer there, I don't think, is he? Even if he had his no, I.
Iain Pye [:Think he was still there. Yeah. And I think SolarWinds came out and actively defended him.
Jim [:Why isn't the SEC taking Solar winds to account for failures to address security rather than the CISO specifically?
Iain Pye [:This is the thing about taking you putting responsibility on a one person that possibly doesn't have the responsibility that the SEC think he has as they have.
Jim [: or for most of them for about: Jim [:I mean, one comment I saw from an individual on LinkedIn, I won't name him, he'll know who he is, is I've been told outright to shut up and say that things were much better than they really were, new, truth.
Chris Dawson [:And.
Jim [:That my take was not considered the big picture.
Iain Pye [:Or I log in a company brand.
Jim [:Goes on to say, in all these cases, the pressure was there from above, whether spoken or not, toe the line or lose your job. And I've seen that countless times. I've known CISOs that have been booted for going into a room and saying, look, we've got some serious issues, and that board kind of look at them and go, we don't want to hear about the issues. We want to hear about all this other magical stuff that makes us all look really good and gives us our bonuses. Because your vulnerabilities and your issues, they're bad news and bad news is bad. This SEC ruling, I think, has thrown a big cat amongst the pigeons, because now CISOs are going to be going into roles and I don't blame them. And they should do, especially when it comes to some of the legislations that are coming out door and all rest of it, especially in the states at the moment with the SEC, if they work for an organization involved with the financial industry or in the financial industry, they're going to sit there and objectively go, right. I could feasibly be on the chopping block.
Jim [:Because the precedent has now been made that if somebody higher than me turns around, tells me not to do something or to not care about it or they don't care about it, so they're not going to do anything about it, and they're not going to give any budget over or support in making something better that I could feasibly be as the person going in that role. As uber's former CISO. And sowin's current CISO is finding out on the chopping block, So no, I won't take this job for this amount. I'll take this job on an amount that could feasibly support me long term in the event of you guys not doing anything. It's going to drive up a the cost of CISOs to companies in that space, which is going to raise the bar and reduce the chance that financial companies who can't afford those CISOs are now going to have none or they're going to have to find some way of delivering substandard security and feasibly get to the same issue.
Iain Pye [:The issue is you're going to make these people risk averse. They're going to be self interested because it's self preservation. So you're going to end up with they're going to choose over corporate profits or all the good stuff, which security is an enabler for corporate profits. A lot of people believe it's department, I know, but we are an enabler for all this.
Jim [:Well, we protect those profits long term.
Iain Pye [:Yeah, exactly. But they're going to be so risk averse, they're just going to be like, no, they're going to become one of the best whistleblowers we have, I think, to do self presence. If they find a vulnerability and it's not being fixed, they'll become a whistleblower themselves and go to the SEC themselves and shot them in.
Jim [:Chris, you're the voice of reason in this group. What is your opinion on this?
Chris Dawson [:I can't see if he's done his job and we found ten huge vulnerabilities here. I'm going to push it up and I'm going to need an X amount of money to fix and here's the problems and I've gone out and found the solutions. This is what we need to do. But I don't have the authority to do that myself. Number one, I want to question why he doesn't have the authority to do it himself. He's the friggin seesaw, for God's sake. That's his job. Number two, surely if you've done that and you've pushed it up, what else can they do? He's surely in the clear.
Chris Dawson [:There has to be sort of an underlying suffer. He couldn't have explained it or he couldn't have gone from it, couldn't have been properly projected, the cost implications, the reputational damage that could come out of all this. Otherwise that they would have at least said, okay, we get you, let's half fix all ten at the very least, let's do something if they don't want to go all in. And if they'd done that, surely if I bring something up to my boss and I'm like, I found this, and they shrug it off like, okay, here's some digital backup, I'm out.
Jim [:This is why the first thing I got taught, and I'm guessing we all got taught in our race through the world of infosec, which is always get proof of what people are not willing to know. Unfortunately, I know many CISOs, I know many infosec people, not just CISOs, who actively store that stuff outside of the corporate limits as well. Now, in my former career, I worked in a well known newspaper, that's all I'll say. And they used to get people supplying them with information all the time and they used to really carefully purge all traces because obviously they had the privilege of being the press, not unknown. And there's no reason why a firm can't say, right, okay, obviously we're going to about to get in trouble with the set because they've got their ways of finding out, let's get rid of the CISO. Oh, by the way, could you just go through his email and just purge them from the backups? Purge all information that we've got apart from anything, damning, leave it in, because then we can scapegoat him and we can say it was all his fault and he was hiding it all, or she was hiding it all, they were hiding it all. And we can carry on with our jobs because, let's face it, a lot of people on the high end C suites in the big companies, a lot of them are about self preservation. They're not there because they're nice, let's be honest.
Jim [:Or is that a bit controversial?
Chris Dawson [:I think it might be a little bit of 50 50 on that. You have to have that corporate flower, that corporate look that you can present, but we've got to come with some credentials and they've got to come with some now to be able to do that. And I know that's sitting on the fence and being a full 50 50, but get off that fed, yeah, get off that fed. I just can't see any other way because otherwise people are just going to go, I'm not doing that, I'm not being a skateboard for that, leave me way out of this. And that'll just fall. That job role will just cease to exist because no one will want it. And like you said, someone will go, I can do that, but I want 500 grand.
Jim [:Yeah, to be honest, I mean, security events happen all the time. It happens to even the most secure organization. You can't secure everything. As we always say, there's no such thing as 100% security.
Chris Dawson [:No, someone's going to find a way of some description and the bigger the company and you just got to try and keep up with the trend.
Jim [: o get it signed off by, like,: Iain Pye [:Classic.
Jim [:Exactly. I mean, he's being vilified for not dealing with vulnerabilities within the organization, but that's a bit of a broad meaning for me. Ian, you are the one who has actually read the filing in its entirety. It's about here the wording basically says not dealing with vulnerabilities and risks within the organization environment.
Iain Pye [:Yeah. And raising it but doing nothing about it pretty much is the way it comes across once you've raised it. It vilifies the CISO more than not the company in my head, yes, the CESO is there to pave the way for your security posture, your risks management and stuff like that. But it's got to offer support the business to do that, got to have the resources and stuff like that. So why is it the SEC has vilified this person? Obviously, we don't know the ins and outs of the presentation and stuff like that, but honestly, do you think it.
Chris Dawson [:Might be of anything to do with who allegedly hacked him?
Iain Pye [:You mentioned Rushkith.
Jim [:I don't think that in this case is that big a thing. I think what they're trying to do, and I may be completely wrong here, I think they're trying to make a point here. There's been a lot of movement and discussion about securing our critical infrastructures. Ransomware has been going nuts. Colonial pipeline got done. There's been a lot of hospitals that have been screwed over. There's been a lot of organizations a bit too close to the government institutions and the financial institution, because let's face the financial institution in any country is one of the more important ones to them because that's what generates the tax dollars. That's what keeps people employed.
Jim [:That's what keeps the economy running. And every government needs an economy. If you haven't got an economy, let's face it, you're not going to be much of a country for long.
Chris Dawson [: . Like change a password from: Chris Dawson [:If he didn't do that, then but.
Jim [:That'S not his again, he highlights it, but surely it's it who go out and execute that because they own that set of assets. A CISO is there to do governance, risk and compliance, maintain security, knowledge of the vulnerabilities and the risks associated within the organization based on the assets that they have and potentially the relationships they had, depending upon the type of the organization. When you discover a problem, for instance, with the web app that's about to go live, you have no authority to make any changes as the CISO. You can recommend them, you can demand them, but final authority rests with whoever is the asset owner, in that if the asset owner turns around and goes, no, we're on a timeline, so I'm not going to do anything. I'm just going to release it because we don't believe anybody's going to hack it. There's nothing you as the CISO can do. You can't go in and just write the code to fix the problem. You're not a coder.
Jim [:You're dependent on other people seeing the risk and addressing the risk appropriately, either transferring it, removing it, reducing it. We all know risk management. Yeah, somebody else has pointed out, and I'll quote them, the SEC alleges that the SolarWind CISO is aware of the SolarWind cybersecurity risks and vulnerabilities but failed to resolve the issues and he says so is the CISO now on the hook for fixing vulnerabilities? Well, we're not we can identify them, tell people about them and recommend that they change them quite often. But fixing them ourselves, that's not something that we normally have the power to do or even the knowledge, unless all of a sudden we're going to have a mesh of information, security people of all kinds of disciplines in all different areas, basically regulating their own groups, which isn't going to happen. Well, very unlikely it's going to happen. This might force it.
Iain Pye [:When you read about ransomware earlier, about the trigger, I read somewhere recently, because of all the space of lawsuits that we've had, there's been class action lawsuits. Essentially the legal team is hired to help manage the incidents and advise the ransomware. Companies are now telling victimized organizations not to produce an incident response report or similar or any type of report. Any such report should be delivered verbally or kept off any electronic or paper documents as much as possible as they could be subpoenaed in future lawsuits and may reveal that the company to be at fault. So remember reading that, and I remember I quoted it in my notes. Maybe that's what's going on here. We've got a very risk averse person of actually documenting anything to get themselves in trouble, but in that case by not doing it have actually landed themselves in hot water.
Chris Dawson [:Is it a fact that the insurance could be pushing this to say you're not insured because you highlighted and did fuck all about it. You told us your car has an alarm on it and it didn't and it got stolen. And when we found it, it had no alarm, so we're not paying out that sort of thing. So they're like, oh my god, now what do we do? We're not covered because it was identified. So we need someone to take the blame for this.
Iain Pye [:But the SEC isn't a lot the SEC is a government entity. It's not to do with the insurers at this. This is the SEC going after an individual rather than the organization.
Chris Dawson [:Even the SEC are going after an individual because people have pushing that agenda.
Jim [:This is my point. The CISO isn't an expert on financial reporting and financial reporting goes to the SEC. They don't do the SEC filings as a general rule. There's no section in there that they have to sign off on. So I understand, not being American, any SEC filings done, no doubt by the financial side of the financial organization? Well I doubt there's a section in there that says, here are a list of the vulnerabilities that we are currently experiencing that we have decided to do bugger all about. But we've accepted that risk. I mean, insurance thing, I don't think companies, the companies are having a hard enough time getting insured anyway. Let's face it, it's gone to the point where you just can't afford the insurance.
Jim [:There's just no point in doing it. The cost of getting the insurance is no benefit really for a lot of organizations anymore. I'm going to get shot at now by the insurance cyber insurance community. But is it.
Iain Pye [:The sex cases that they've defrauded?
Jim [:Investors haven't defrauded investors. Investors have the shareholders because it's shareholders.
Iain Pye [:Shareholders have the right to shareholders, sorry?
Jim [:Shareholders have the right to well they're normally investors, they've invested, haven't they? So technically it's correct.
Iain Pye [:Yeah.
Jim [:Shareholders, holders of shares have the right to understand that the organization's C suite, the executive management, are undertaking business in an ethical manner in accordance with their wishes. Now obviously the more shares you have, the more votes you get. So whenever something comes up, the shareholders get together, they vote on it. If someone's got 51%, obviously they tend to win it, but that tends to be how it works. And there's an annual general meeting where you kind of sit down, you go over how the company has been running over the course of the year, what the potential dividends are going to be or what the financials look like and so on and so forth. They usually make a big thing of it in larger organizations as a dinner or something.
Iain Pye [:Yeah. They say fraud to investors. So from a security point of view, what do you tell investors at the end of the day? From a security point of view, your.
Jim [:Company'S information security is about as good as this leaky bucket here.
Iain Pye [: sually, yeah, we're astounded: Jim [:But actually, underneath, the senior management are going to allow the CISO to get on that stage and go, hi, guys, I've got good news, I've got bad news. Good news is spending has dropped in security in favor of dividends. Unfortunately, the overall security of the company has plummeted into the ground and we have fires everywhere that no one cares about as long as the shareholders are looked after. Not in a million years. Is anybody the CEO?
Chris Dawson [:No, of course not.
Jim [:But that's why the senior financial has.
Chris Dawson [:He told the compliance? Is that what you're saying? Has he said to, if he knows what he's doing, we are compliant? Knowing they're not yeah.
Iain Pye [:And that's it. Knowing that they have vulnerabilities, they have risks that are probably more than likely basically a major nonconformity. If they had ISO or anything like that, or whatever the SEC is, the sock two equivalent is or risk discrepancies and stuff like that, I can't remember.
Jim [:What they or they've gone through. So many ISO auditors, they found one that they can bully and get them sign off on whatever it is. Let's be frank, they've got the guy.
Iain Pye [:On a Friday afternoon. He just wants to get out.
Jim [:It does happen. I'm not saying it does.
Chris Dawson [:Can you show me X document? No, we haven't got that one. Don't worry.
Jim [:I'll be honest again, I'm going to get shot by the community. Now, I've met ISO 27,001 auditors that wouldn't understand what a risk management solution and process was. If it hit them in the face and they're going out and they're auditing organizations, this risk management looks good. It says a risk and it's got a rating and it's got somebody associated with it's, got all the components that I know should be there. But not being an experienced or even possibly a good auditor, I'm not looking at the intent behind the requirement and the process. Does the process make sense? Does the procedure follow a logical framework? Or have they cobbled together in a Frankenstein methodology something that just really isn't appropriate? Good quality auditors, obviously, like myself would look for that kind of yeah, that.
Chris Dawson [:Auditor is just going he could have just been literally he or she just going down that list, ticking off and the CISO or his team have gone. Do you have X, Y and Z in place? Yes. With no evidence. Do you need evidence? No, because the auditor doesn't know what he's looking for anyway and they've seen that and gone, just tell him what he needs to know.
Iain Pye [:Or we could have a conclusion that effectively is the auditors that have defrauded the investors and not Caesar.
Chris Dawson [:No, because no, it's definitely not the auditor because they've asked the question. All right. They probably should have followed up, but depending you get what you paid for.
Jim [:If he turned around to the shareholders, said, hi, we've got ISO 27,001 and they do have ISO 27,001, then cool, I got ISO 27,001, doesn't mean they're secure. It just means they've managed to kind of convince the auditor to sign them off and again, going to get shot at for that one. I can imagine the comments I'm going to be getting back on that one.
Iain Pye [:But appliance does not equal security.
Jim [:It doesn't.
Chris Dawson [:And if that is the case, then he's in hot water. If it's not the case and he's highlighted everything that he's seen, his vulnerabilities, he's highlighted, he's done a rigs register, he's pushed it to the board and he's got pushed back and he's not been able to do anything about it, I would say that he's going to be all right. And when he finally gets out at the other end of it and then sues Soloins for God knows how much.
Jim [:He'S going to be all right, I voice of reason, Chris. I'd love that to be the I really, really would. I'd love to have the unique view that you have of the world that everything is going to be all right in the end.
Chris Dawson [:There can only be two outcomes. Either he has, like we just said, he's purposely fraudulent and said, yes, we've got this.
Jim [:Is there a group of information security people that the SEC have produced and who are approaching them and saying, can you analyze what this guy has been doing? Can you analyze what the reports he's generated and can you tell us whether or not he's been doing the job that he should be doing? Or is it going to be dealt with by lawmakers who aren't infosec people? Is it going to be dealt with specialist people that they get on the dock? Subject matter experts? That's it. That's what I was hoping for. Because they only ever usually get one that says yes, because obviously the defense is going to find a subject matter expert that's going to go, yeah, he's done it all right, he's done it fine, fantastic. And then, of course, you're going to get the other side, who's like, no, it was crap. He didn't do anything. I think this guy, whether he did it right or wrong, no matter whether he did it right or wrong, and I do fear that if he did do it right, he's still going to get beaten across the head.
Iain Pye [:Shall I read you from the actual document what the first paragraph says?
Jim [:The summary of the you are screwed.
Iain Pye [: From at least October: Jim [:So he did say that they were very vulnerable?
Iain Pye [:Yes.
Jim [:In his internal presentation, his internal or his public presentation?
Iain Pye [:In his internal presentations to Solo Winter.
Jim [:Who in the right mind in their external presentations out to the big wide world, is going to say, yeah, our cybersecurity is really shit, we've got vulnerabilities everywhere. So come in, boys and girls, go for broke because we're like a leaky. No idiot is going to go and do that.
Iain Pye [:No, but we all like people, to be honest. Eventually.
Jim [:That's like having a safe, an open safe in your house stuffed full of gold and putting a massive sign outside on your front gate saying, I've got gold bullion with bugger all security, come and get it. And just waiting there on the front porch with a glass of cider as watching people come wandering in.
Chris Dawson [:He has to have highlighted these vulnerabilities or not even individual just said like, it's not great, and then by the board and whatnot, they go, right, what do you need? And he's gone, oh, don't worry, we're fixing it, and then just done nothing about it.
Jim [:I mean, it could be that he did that, but what infosec person in their right mind who are normally underfunded to hell? I'd like to point out the average budget for infosec is, what, 10% of the It budget? If you're lucky, sometimes it's more closer to 5%. So you're not going to get a chance to really get any tools worth a damn and you're rather reliant on it, buying in specific technologies to help secure their environments, the seams, your endpoint security, or the usual stuff. Obviously, making sure interns don't put Solar Winds one, two, three onto that's. Also part of the staff training, not.
Chris Dawson [:Allowing don't write your passwords down in.
Jim [:Your diary, making sure that group policy and access rights, logically and virtual nature are the most appropriate. I mean, why an intern allegedly was putting things onto a public forum with all of these details is beyond me. But equally, I just saw that personally, as the CEO, I'm going to be unfair. Let's point the finger at an intern because nobody gives a stuff if the intern gets finger pointed and screwed. That didn't work. It's the go to move that didn't work. So the SEC eventually have kind of gone. You know what, we need to take a stance on this.
Jim [:It's a good example. It will make an example of an organization. I'm guessing that's what they were thinking. It'll make an example of the organization. So what we're going to do is we're going to go after the CISO for failures to report vulnerabilities, risks to handling the risks and so on and so forth and all the filings. And rather than go for the organization, I've gone for the CISO for some bizarre reason.
Chris Dawson [:Get it out there and.
Jim [:Say, I mean, it's not a CEO. He's not gotten a massive dividend or a massive payout for what he's done. Even well paid CISOs, and there are some very well paid CISOs getting that kind of level of lawyer that's going to be able to fight the SEC or group of lawyers, unless you can get somebody prone, bono is going to be almost impossible.
Chris Dawson [:That's why they've done that, haven't they? We need to make an example here. We can't make an example with an intern. We can't do a middle of management because it's not going to quite cut it. We need to go big.
Jim [:We can do the statement to the financial world that you have to handle your risks and we've got to basically run over somebody with a bus. And it's going to be and if.
Chris Dawson [:They do the company, the company hold. Look at who their clients are. Most of the government entities, I'm guessing. We're basically suing ourselves. Yeah, they probably have. But yeah, I think you're bang right there. That's probably what the thinking is. We need to go big, but we can't go too big by doing the company.
Chris Dawson [:Let's go for a big fish within there and highlight this.
Jim [:Did you just agree with me, Chris? Wow.
Chris Dawson [:I did.
Jim [:Does this mean Ian's not going to agree with me? Come on, Ian. You are now the voice of reason.
Iain Pye [:The reason why they've gone for him is because he's made public statements. Well, he's a figurehead, he's a poor guy. Public statements on the website. So in the security section they say, blah, blah, blah. I'm just refreshing my memory. Having read through in the registration statements, periodic reports filed to the SEC, they've said, yeah, we're good, we're okay.
Jim [:And when they fill he probably didn't sign that report to the SEC because he's got no financial, no.
Iain Pye [: ad it out to you. In November: Iain Pye [:That same month, the Solar Winds Network engineer complained, we filed more vulnerabilities than we fixed. And by fixed, it often means just temporary fix. But the problem is still there, and it's huge. I have no idea what we could do about this, even though if we started to hire like crazy, which we will most likely not, it will just take years. Can't really figure out how to earn this situation. Not good.
Chris Dawson [:And that was from one of his team members. Yeah.
Iain Pye [:And then the following paragraph is even though Brown and or other solid employees executives knew about these risk vulnerabilities and attacks against other products, cybersecurity Risk Disclosures did not disclose them in any way, either individually or by disclosing increased risk. By collectively posed to SolarWinds.
Jim [:I mean, playing devil's advocate and going to the other side of the fence, to be honest. I think if you are in infosec and you've got to make statements, you've got to make statements that reflect the situation. I mean, you can soften them for the public forum. Internally. You have to be realistic. They're a big organization. They will have the issues that big organizations has with things like reporting.
Iain Pye [:And it's hard to do things because there's so much bureaucracy.
Jim [:It's a message from one bloke to somebody else, and it's like, is that the basis of whether or not they were doing that security was being handled correctly internally? I mean, it's not good. I mean, it doesn't sound good, let's be honest. But it's just a conversation. It's not the risk register. It's not the documentation behind the risks. We've told you to.
Chris Dawson [:It's not the evidence to back up. What you're saying is a general chit chat.
Jim [:If I was tasked with a group of people by the SEC, obviously professionals such as us, to look at what he was doing, I'd be looking at, was there a reporting process for risk? Was it being handled appropriately, internally? Were people taking things seriously? Or was it a case that he was just shouting into the void and nobody was really answering if he was missing stuff? Okay, he missed stuff. Where's the penetration tests? If it's a new iteration and a new build of the environment, then did it go through a code check? Did it go through a penetration test? Now, I believe the original issue, the backdoor was put into the version that was put onto the update server. So it might have been missed. Well, not missed might have been put in to that build after any checks and tests have been done, but in fact, no, because they signed the this is what I don't understand.
Iain Pye [: relevant period between July: Jim [:But he didn't write I'm guessing he didn't write the reports that went to the SEC. So I don't know. This is where it gets really gray, because you don't know what has happened. Because he could be the head of whatever, doesn't mean he's part of the board, which doesn't I think in this.
Iain Pye [:Case, he probably wasn't. He's probably one of those CISOs that is a Caesar, that is a title only and actually is not on the board and has no swear over the board. And so he's not going to get the support and requirements needed.
Chris Dawson [:And it sounds like he's done his corporate bit by trying to just look after his job and going, yes, I've highlighted some bits and bobs. However, when the authorities or the auditors come and have a look, we'll just brush over this. We'll make sure that they've gone away. They've not actually gone away. We've temporarily fixed them and patched them. But it's fine. It will be okay.
Jim [:On the flip side of this is it not in the interest of Solar Winds themselves that the CISO gets hammered for this and they hang him out to try and say he never told us about it.
Chris Dawson [:I was just going to say, Jim, there's two conspiracy theories here.
Iain Pye [:Oh, there we go.
Chris Dawson [:I love a good conspiracy.
Jim [:Whenever we do this, we should get some tinfoil hats and we just put the tinfoil hats on.
Iain Pye [:Yeah, I want a character that says number of conspiracy.
Chris Dawson [:Conspiracy one is who hacked and was he working for him? That's all I'm going to say.
Jim [:Really?
Iain Pye [:Jesus.
Jim [:That's definitely a conspiracy theory.
Chris Dawson [:Number two is that the SEC were going to go after Solar Winds and say like, right, what the goddamn that are you playing that they've gone, right, okay, look, okay, we understand that we're going to play ball, but if we play ball, can you not do us as a company? Can we just do individuals and we'll give you what you need? That protects the shareholders, that protects the shares, protects the money. They just have a little bit of a blip, then go, look, we found this bad apple, we've got rid of it, we're fixing it now. We're good as a company. But it's a conspiracy theory. I'm just saying.
Jim [:Yeah, I mean, the first one is definitely one of the biggest conspiracy theories I've heard for a while. God, I'm going to expedite the release of this because of the time sensitive nature of this. So we'll see when people start putting it on LinkedIn and there'll be a picture of you from you'll become an infosec meme. A conspiracy theory infosec meme on the second Pot account. Yeah, I mean, it could be this smells of someone's going to have to pay. Someone is going to have to pay and we have to prove to the rest of the world, the business world, sort your stuff out, because we've seen the NIST upgrades happening, we've seen, obviously, PCI upgrades happening, the ISO upgrades been going on. Biden has just done the release for the AI stuff, which is another video I'm going to be doing at some point where he's saying about how securing AI is so important. And there's been numerous times when previous presidents like Trump and Biden have both said cybersecurity is a key part of our future concerns.
Jim [:Maybe this is a way of forcing that public, or the public organizations who service the government, who service key parts of industry, are saying, if you screw up, we are coming for you. But we're not just going to come for you as the organization, we're going to come for the individuals that we perceive as having done wrong. Ian, the CEO isn't named on that filing, is he?
Iain Pye [:No, it's just the company, SolarWinds.
Jim [:SolarWinds, and there's specifically but the CEO has ultimate authority for what goes on within the organization. He is the captain of that ship. And if there's somebody underneath who hasn't done what they need to do, then surely he, by proxy, should have assumed responsibility as well.
Chris Dawson [:He or she, yeah. Are they going an intern individual on a personal level, or individual through the company?
Jim [:Because then if you're going for an.
Chris Dawson [:Individual, I know it's the same person.
Jim [:But if you're going for an individual on the C suite, the whole C suite is responsible for running the company. I don't get why you're going specifically for the CISO. I could understand if it was the CISO and the CEO, I could understand if it was the whole C suite, but Laser focused on the CISO not doing his job. There's a lot of people being missed out while there's people being missed out here.
Chris Dawson [:But then again, he is responsible sorry, they're responsible for highlighting vulnerabilities and then saying whether they're fixed or not, highlighting is one thing he can document. He's highlighting it. Brilliant. But did he then come out and say, oh, no, we've done you can.
Iain Pye [:Reduce.
Jim [:Removing a risk or a vulnerability entirely can be really difficult. Sometimes. It's just as simple as getting rid of the vulnerable code or upgrading the vulnerable code or rewriting it or whatever. But when you're talking about systems, if you're saying, oh, you didn't get rid of the zero day vulnerability, it's like well it was a zero day vulnerability, so there was no upgrade for it, there was no update for it from the vendor and all the rest. That's another thing entirely.
Chris Dawson [:Yeah, but when it's just a shit.
Jim [:Password well, yeah, let's face the password enforcement there is somewhat bad. It doesn't look that's what I mean.
Chris Dawson [:He can highlight what he wants, I think, and this is me, I've switched over a bit now, but if he's not done the basic bits, then yeah, come on man.
Jim [:Yeah, I mean that is a good point.
Iain Pye [:The CEO has put a blog out about their response to this. Well, he calls it misguided and improper enforcement of action against us.
Jim [:But it's not against them, is it?
Iain Pye [:I think it's one to watch. At the end of the day, whatever happens, filing or non filing, whatever is the outcome, it's going to paint either a rosy picture for Caesars or not. Let's be honest, because at the end of the day, if you're a publicly listed company and you're a CISO, and this case goes against them at the current CISO Soloins, it's not going to be good for Cesars to go forward because you're going to be liable. Especially if you're a publicly responsible especially.
Chris Dawson [:If he's done what he should have.
Iain Pye [:Done and if he doesn't have the backing of the board and he's done what he's done and he's tried to do the best and they tried to fix everything. They're going to turn into a whistleblower. They're going to go to the SEC themselves and go I don't want this case to brought against me if anything goes wrong. You're going to create a culture like that and it's going to be horrific and it's not going to be something that people want to do at the end of the day. And as you said, it's going to demand those big pictures, those big wages. And there's a lot going on around at the moment about how Czos are part of the C suite, the part of the board. Realistically though, is that the actual case in most businesses? No, I don't think it is. I don't think it's a realistic representation.
Jim [:It's changing. It is changing, but at the moment that's not necessarily the case. I think we're into the final rounds of rounding up here and Ian has started to do that expertly and I think from my perspective, I think I agree with you Ian, we are going to see a very big change in infosec. Employment is probably the best way to put it going forward. Culture and the culture well, I think it's just going to reinvigorate the culture of ass covering, as we used to term it.
Chris Dawson [:It's an arse covering exercise.
Jim [:Yeah. I mean, we're going to have to be so much more careful now about the roles that we go for as professionals. You're going to be evaluating every role now. Is there the potential there for me to get into trouble and it not being my fault? So some of the questions you're going to be asking, it's almost like you're going to be getting interviewed and then you're going to be interviewing them straight back, which, let's face it, you should probably do a bit of anyway. But it's going to be like so do you report to the SEC? If so, I want sign off on reports going through for the security status because I've seen what's happened to that poor sod over there and I don't want that to happen here. Secondly, when it comes to our risk management processes, they're going to be sacrosanct. And anytime it's assigned to anybody, we're going to get a full write up of that it's been assigned to them that they're going to respond and sign off, that they're assigned to that particular set of assets and risks and so on and so forth. And then it will be their responsibility.
Jim [:So the documentation is going to get heavier. Our write ups are going to have to be pretty pristine. Getting a PA is what I suggest most infosec people at that level probably do, and a good solid team behind them. But it's going to get to the point where looking at if they've gone into the people's messaging, they're going to be like, right, you are not to discuss any security things over instant messenger, over email. You have to basically clear all communication. So you're probably going to get a PA person, maybe even somebody from marketing to join your team just to make sure the message is correct and that you're not binding yourself to something or misrepresenting yourself something either to partners, the big outside world, the SEC.
Iain Pye [:I think a lot of it is going to be end up being done verbally as well.
Jim [:In secret behind the bins.
Iain Pye [:Yeah, secret square rules.
Chris Dawson [:People are going to want that. People are going to want it. documentated, though, are they? documentated? That's not a word documented.
Jim [:But I don't think documentation is enough. I think you're going to need to get proper reputable sign off so the same as you sign off a contract digitally or with your signature or with your signature and digitally, I think that's going to have to be the case to go that's going to what you're going to have to do. Because if you don't do that and something goes horribly wrong and you end up in front of the SEC and they're going, did you do what you said you should have done? I signed it to these guys. I told them about it. They've got responsibility for it.
Chris Dawson [:I just told them the whole ask over an exercise. The workload is going to treble.
Iain Pye [:Oh great, more paperwork.
Chris Dawson [:It's the only way to go in it. If this does go a bit sideways for him, then the only outcome is that every CSO and every slightly below there is going to go right. Okay, we need to make sure that we are on full ass covering exercise and have we got do not talk.
Jim [:Over slack, do not criticize exactly the level of security in the organization over any medium that is going to go back to what they used to do at the newspaper. Don't send anything that could be utilized in court and just have conversations about it, which is going to be awesome in a world of working from home because now everybody's used to just kind of saying whatever the crap they want over know. Have you seen what Mike is wearing? Know, we sitting there in a MooMoo granddaddy.
Chris Dawson [:There's definitely a part two to this when we find out a bit more though, isn't there?
Jim [:Well, when it finally happens, when's the hearing, Ian? Does it say?
Iain Pye [:I don't know. That's what I'm trying to work out right now. I'm trying to find a section for it.
Jim [:It could be ages away yet.
Iain Pye [:Yeah.
Jim [:Unknown.
Iain Pye [:We can update it post edit.
Jim [:So the takeout from this one, I think my advisory is if you are a CISO associated with a publicly listed company in any part of the world, you're kind of getting a little bit boxed in a corner now. Damned if you do, damned if you don't. And you'd better really probably start getting some serious documentation together and sign offs because, I mean, whether the CISO is found liable or not, I think the precedent that it could feasibly go to court like this, the damage is done, that's it, it'll happen again.
Iain Pye [:I think we're going to see a few more of these. Well, we've seen one already, haven't we? With the Uber Caesar or the CSO, was he?
Jim [:Yeah, but I get the impression this one's a little bit more.
Iain Pye [:Be on a different level. I think we're going to see some more if there's any more big ticket breaches like the solar winds thing again, the Colonial pipeline one, that'll be an interesting one. See if that actually comes through as a case potentially as well.
Jim [:Are they looking to do that against what? Against the CSO? Against the C suite?
Iain Pye [:No, it's just because of the way it feels a very similar type of hack at the end of the day to me, incident. So I won't be surprised if the SEC or another government agency because they're not under the SEC, but will actually maybe take the Caesar to tasks then as well. It might be a trend for the government agencies now to actually targeting the Caesars along with the companies as well.
Jim [:Well, here's a good tip. If you're an up. And coming lawyer about going to a wonderful world of legal representation. Really good one to really go for at this moment in time is specializing in cybersecurity and defending CISOs from the horrors of getting sued.
Chris Dawson [:Hung out to dry. Hung out, yeah, I think is what you're looking for.
Jim [:There you go, guys. Girls out there. If you're a lawyer and you're thinking, what should I specialize in? Family law? Business law, obviously go for business law and specialize in cybersecurity.
Iain Pye [:We've got a Tim's Thought of the Day section. Now.
Jim [:I'm going to get my degree in law once.
Iain Pye [:Watch in my eyes. I'm going to see where it goes. It can either go very well for thezos or it can go very wrong, depending on how court case goes.
Chris Dawson [:My prediction is it'll go away.
Jim [:It'll go away. Yeah.
Chris Dawson [:I think there's a big hype because of what impact it had. Someone has to be seen to be prosecuted or someone has to take the fall for this trial. Yeah, conspiracy theory land. There's a lot of talk and chatter about like, oh, my God, I can't believe that they're going for the CSA and not the company. Blah, blah, blah, blah. Six months time, the old news, nothing happened.
Jim [:There we go. The voice of reason has taken his bat on. We will see, we will see and we will no doubt report on it when it does, whether or not it falls off a cliff and nobody talks about it, I think this is one definitely the infosec community, at least are going to be quite interested in. I don't think it's going to go away for us guys and girls, because I think it's become quite an important key landmark as to how things are going to be going forward. So thank you guys for being my wonderful co host yet again and offering your words of wisdom and voices of reason and indeed conspiracy theories that come out again. Let's see if we can kind of get some people who are good at memes to get Chris and we'll memeify him. But anyway, to all of you out there, thank you ever so much for coming and listening to us or watching us, depending upon what medium you're on. If you've got any recommendations.
Jim [:If you want to hear us debate items of importance within the infosec community, then please feel free to give us a message. Drop us a line on LinkedIn or whatever the various different mediums out there to get hold of us, and we'll be more than happy to debate on the subject matter and see kind of where we sit where we stand and deliver pulse of wisdom. So thank you, everybody. Look after yourselves. Thank you for listening to the Rosewater podcast. If you like the podcast, if you love the podcast, please feel free to subscribe and if you have any questions, please get in touch. Thank you very much and have a great day.
