Solarwinds breach, a signal for a systemic enterprise view on Information Security
2021 (English)In: The OR Society's 63rd Annual Conference, Operational Research Society, UK , 2021Conference paper, Oral presentation only (Refereed)
Sustainable development
Not refering to any SDG
Abstract [en]
Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Today's info security involves all systems in the chain; to use an old maxim, "No chain is stronger than its weakest link". The ICT world has become so interconnected that holistic system thinking is needed, with systems outside the organizational border to be involved and accounted for. ICT criminals are using increasingly sophisticated attack methods, often based on the victim's system architecture. In the Dec 2020 security breach at the network management firm Solarwinds in the US, an external party had added a trojan horse package to the Solarwinds management system. The hack gave the hackers stealth control of both Solarwinds as its 18.000 customers' internal system environments. Including high-security targets like the FBI, Homeland Security, and Microsoft.
The attack was sophisticated, using the Solarwinds system knowledge, standards, and code layouts. Anyone not doing a deep survey would see Solarwinds code. The trojan was well-known but rewritten to the standards of the target. Solarwinds shows that we now entered a "new brave world", demanding a much more structural system discussion, how to protect our ICT. Based on this attack's sophistication, this was probably a 7- or 8-time successful attempt. We need solid enterprise-wide, system-coordinated security perspectives. But, how can we use system thinking to help plan a better and more cost-efficient security approach on an enterprise-level? For 14 years, this researcher worked with info security in a global automotive company, having the Viable System Model as its internal system model. When not "sabotage" by managers, yes, it happened; VSM worked fine. VSM also works fine with securing modern laws like GDPR when having an enterprise perspective. Info Security desperately needs enterprise system thinking.
Place, publisher, year, edition, pages
Operational Research Society, UK , 2021.
Keywords [en]
Data breaches, Info Security, Security Governance, System Thinking
National Category
Information Systems
Research subject
Computer and Information Sciences Computer Science, Information Systems
Identifiers
URN: urn:nbn:se:lnu:diva-109132OAI: oai:DiVA.org:lnu-109132DiVA, id: diva2:1626733
Conference
The OR Society's 63rd Annual Conference, 14-16 september, 2021
Note
No conference abstracts or compilations was published from OR Society for the OR63 conference
Ej belagd 220121
2022-01-112022-01-112024-08-28Bibliographically approved