Information that could compromise your cyber security posture

The open government data movement began fully maturing in early 2009, at a time when government(s) and society began to truly realize the beneficial value of government data; and open standards were taking root as drivers of innovation. The thrust of this movement was to identify all valuable Government data sets, and to require agencies to make them available to the public, at no cost, and in open-standard formats that ordinary citizens and enterprises could easily access and leverage.  

These key principles were enshrined in the Data.gov initiative, established in May 2009, by, then-Federal Chief Information Officer (CIO) of the United States.  Ten years later, Data.gov still serves to provide public access to high value, machine readable datasets generated by the Executive Branch of the Federal Government, creating the first publicly available repository for federal, state, local, and tribal government information.  

In our attempt to be transparent and share information with all stakeholders; we sometimes inadvertently share sensitive information that could compromise the cyber security posture of the organization.

.

Why is CMMI Level 3 Relevant for Cybersecurity?

Maturity models have been around for more than three decades, as early as the 1980s.  The original intent of the Capability Maturity Model (CMM) was to assess the United States Department of Defense (D.O.D.) contractors’ processes.  The success of the software projects was measured using the CMM measurements.  Higher maturity scores were equivalent to better processes.  Higher scores also meant that the contractors used established and reputable processes and best practices for software design, development and quality assurance.

The context in which the term ‘maturity’ was used had special significance.  It was used in reference to specific aspects of the assessment, where the level of organization and optimization of each operation could range from ad hoc to formal.  Because CMM’s initial focus was particularly aimed at improving the software development process, its scope and application was very limited. For this reason, the Software Engineering Institute (SEI) at Carnegie Mellon University revised it.  It then became known as the Capability Maturity Model Integration (CMMI).  This new framework superseded the original CMM in scope.

The extended scope of CMMI now allows it to have a footprint in multiple disciplines.  These include Information and Communication Technology (ICT), business process management, service management, civil engineering, manufacturing and cybersecurity.

.

Anatomy of the SolarWinds Breach

There are many entities throughout the world that use third-party software as part of their business. When they do this, the service they receive form part of the supply chain of the company. SolarWinds is a key vendor with 33,000+ of the world’s companies and government entities use their software. The 22-year-old US-Based company, supply system management tools that are used by the IT professions within these organizations. The tools are responsible for a number of important services including software management, application monitoring, network configuration, etc. The Orion suite in particular, is SolarWinds most widely deployed network management system. It is used to manage and monitor the network infrastructure of the host company. To do its job effectively, the Orion suit needs absolute visibility of the company’s diverse set of network technologies. For this reason, it is common practice for network administrators to configure SolarWinds Orion with extensive privileges consequently, making it the perfect target for threat actors. On December 13th, 2020, it was discovered that the Orion software suit was infected with the malicious software called Sunburst.

.