Despite their best efforts, SolarWinds isn’t going to be able to slip back into obscurity anytime soon. Up until late last year, most regular folks wouldn’t have any idea who SolarWinds was, let alone what they did. But when one of the world’s largest outsource IT providers gets hacked, leading to the compromise of approximately 100 very large companies and NINE federal agencies including the National Nuclear Security Administration, you aren’t going saunter casually out of sight after such a massive gaffe. You might try a little misdirection by throwing an underling under the bus, but all that is doing is making things worse, regardless of whether it’s true or not.
True leaders know where the buck stops
As the SolarWinds “saga” started to slowly unfold for us in December and January in all of its terrible glory, one of the minor “subplots” that was revealed involved a comically weak password that was used to secure a SolarWinds server. If you ever want to bring a rain of derision and reproach from the technology community, use a password like “solarwinds123” as part of your infrastructure while providing IT to the agency that manages our nuclear arsenal. And if you want to double-down on your foolishness, blame an intern for it.
It’s entirely possible that an intern might actually be at fault; all of us were young and “wet behind the ears” at some point in our careers, and let’s face it, there are a ton of people out there who might think that this is at least an OK password. But let me tell you something: every single SolarWinds technician, engineer, senior engineer and up that typed in that password KNEW it was a bad password and didn’t bother changing it. Everyone reading this article knows this is a bad password, and if you’ve been a reader for any amount of time, you’ve known this for years. It’s reasonable to assume that a fresh-faced intern with no IT experience may have chosen such a password, but it should have never survived the moment any SolarWinds employee had to use it even once. Regardless of who made the initial mistake, allowing it to continue being used is absolutely leadership’s fault – all the way to the CEO. Bad passwords have consequences, but excusing and ignoring them is even worse.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
