{"id":7243,"date":"2020-12-22T10:05:36","date_gmt":"2020-12-22T16:05:36","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=7243"},"modified":"2022-05-03T15:53:43","modified_gmt":"2022-05-03T20:53:43","slug":"solarwinds-hack-our-safety-measures","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/solarwinds-hack-our-safety-measures\/","title":{"rendered":"Supply Chain Safety – Our Measures"},"content":{"rendered":"

The IT world has been in shock as we\u2019ve all learned about the Solarwinds hack<\/a> (UPDATE: And now also the Kaseya hack).\u00a0 Network and server monitoring software inhabits a special niche where it often has full access to the servers and devices on the network in order to monitor all internal resources.\u00a0 Because of this it needs to be as robust, safe and trustworthy as possible.\u00a0 \u00a0Given the fall out of the Solarwinds hack, customers have been asking us about our product safety.\u00a0 We\u2019d like to assure you our software is safe and explain the steps we take to keep it that way.<\/p>\n

\u00a0<\/p>\n

When we talk about our products, it\u2019s useful to split the files that make these products into two types of interest \u2013 those that are executable (.EXE, .DLL and .SYS files) that we produce, and executables from other vendors.<\/p>\n

\u00a0<\/p>\n

\"\"<\/a>
Image by Jan Alexander from Pixabay<\/figcaption><\/figure>\n

Executables from Other Vendors<\/h3>\n

We have recently completed an audit where we have checked every single executable file that we get from vendors to ensure they haven\u2019t been tampered with.\u00a0 \u00a0Some of them were already signed by the vendor so we know they are OK.\u00a0 \u00a0Others we have tracked back to their source and compared to ensure they haven\u2019t been altered.\u00a0 We keep all binary files in our source control solution (something not all companies do) so we can audit and see if any of them ever change.\u00a0 \u00a0For the 3rd party executable files that were not already signed, we have done a one-time signing of them now that we have audited them and found them matching the originals.<\/p>\n

Our Executables<\/h3>\n

Our executable files are those that we compile from our source code.\u00a0 \u00a0There are a very few that are not compiled at the time of each build \u2013 those were signed the last time they were built, and then not touched again.\u00a0 \u00a0For the files that are compiled each time, the .EXE and .SYS files have been signed for a number of years.\u00a0 \u00a0Starting now, we are also signing all DLLs that we compile.<\/p>\n

Source Code<\/h3>\n

According to an analysis from Microsoft<\/a>, Solarwinds was actually hacked at the source file level.\u00a0 Hacks such as this require obfuscating certain bits of the code to hide critical details, such as external hostnames that will be contacted.\u00a0 Sources files written in .NET languages have a large library of possibilities for obfuscation such as compression and encoding\/decoding data.\u00a0 We don\u2019t use very much .NET in our products, so we were able to look at every one of our .NET source files manually to check for correctness, and nothing unexpected was found.\u00a0 \u00a0 Note that in the Solarwinds case 4000 lines of new source code had to be introduced for the hack, so it would be easy to spot manually in our smaller .NET scenario.\u00a0 \u00a0For C\/C++ code, extensive built-in libraries don\u2019t exist and have to be added manually.\u00a0 \u00a0We\u2019ve ensured no additional libraries have been added, and then checked all code that does compression or encoding\/decoding of data and found nothing unusual.<\/p>\n

\u00a0<\/p>\n

All source code is in our source control system.\u00a0 \u00a0One nice side effect of being a smaller company is we all know each other and know what each other are working on.\u00a0 Any unusual file changes would stand out and attract attention because each time source files are committed to source control, a notification goes out to the Slack channel letting all developers stay aware of changes.<\/p>\n

\u00a0<\/p>\n

We have the compiler turned up to the highest warning level, and never allow warnings or errors to go unfixed in order to help catch bugs.\u00a0\u00a0 In addition, we use static code analysis tools to further audit the source code for any potential bugs \u2013 we want the code to be as robust as possible.<\/p>\n

\u00a0<\/p>\n

In addition to the above, we have automated monitoring watching project configuration files, resources files, source code, and other inputs into the build that sends out an email every few hours reporting files that have changed.\u00a0 It just takes a few seconds to scan those emails so we are disciplined and actually read each one.<\/p>\n

Build Checks<\/h3>\n

Now that all 3rd party executables are signed (either originally by the 3rd party or one-time by us), and all of our executables are signed at build time, our build system verifies all executables are properly signed as part of the normal build process.<\/p>\n

Our Build System<\/h3>\n

Our build server is only accessed by one person.\u00a0 \u00a0That server has our AD Login Monitor on it so we can see who accesses it.\u00a0<\/p>\n

\u00a0<\/p>\n

In addition, we have our File & Directory Change monitor watching files that shouldn\u2019t be changing so we\u2019ll receive alerts if they do change.<\/p>\n

\u00a0<\/p>\n

Nothing in our process automatically downloads or updates components.\u00a0 We\u2019ve been concerned about supply chain security much longer than it has been fashionable, so we\u2019ve always taken the methodical and manual approach to checking updates as they come out.<\/p>\n

Network Security<\/h3>\n

To help prevent attackers from getting into our network in the first place we have a number of protections.\u00a0 Anti-virus applications are used and pattern files are kept up to date.\u00a0 \u00a0Windows Updates are regularly installed on all workstations and servers.\u00a0 Windows Firewall is on and running on all computers.\u00a0 We use two-factor authentication for remote access, and each user can only access their own workstation.\u00a0 Of course, being a monitoring company means our software is on multiple servers (test and production) which provides overlapping monitoring and alerting of all systems.\u00a0 \u00a0We are taking this opportunity to further enhance our internal monitoring and have setup additional alerts watching for suspicious changes.<\/p>\n

\u00a0<\/p>\n

Our production web, support and mail servers are hosted remotely and not on the same network as our development and office systems.<\/p>\n

\u00a0<\/p>\n

We have always taken security seriously, and take recent events as a chance to look at our systems again to see how we might improve further.<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

The IT world has been in shock as we\u2019ve all learned about the Solarwinds hack (UPDATE: And now also the Kaseya hack).\u00a0 Network and server monitoring software inhabits a special niche where it often has full access to the servers and devices on the network in order to monitor all internal resources.\u00a0 Because of this […]<\/p>\n","protected":false},"author":3,"featured_media":7283,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10,42],"tags":[],"class_list":["post-7243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-power-admin","category-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/7243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=7243"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/7243\/revisions"}],"predecessor-version":[{"id":7285,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/7243\/revisions\/7285"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/7283"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=7243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=7243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=7243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}