Log4j vulnerability: what should boards be asking?

Background

The Log4Shell critical vulnerability in the widely used logging tool Log4j has caused concern beyond the cyber security community. This is because Log4j – rather than being a single piece of software – is a software component that’s used by millions of computers worldwide running online services. This makes Log4Shell potentially the most severe computer vulnerability in years.

The challenges organisations face are therefore:

  • finding out what services use the Log4j component
  • identifying which of these services your organisation uses
  • finding out if these services are vulnerable

 

How concerned should boards be?

The Log4j issue has the potential to cause severe impact to many organisations. As cyber security experts attempt to detect which software and organisations are vulnerable, attackers start to exploit the vulnerability. Initial reports indicate this is likely to include remote control malware and ransomware.  However the situation is fluid and changing regularly.

As of December 16th, the majority of attacks are automated and exploratory, with initial reports of more targeted exploitation. Should ransomware be delivered by exploiting this issue, vulnerable computers may be ransomed. If organisations do not have robust internal network cyber resilience, this could spread through the organisation and cause a variety of business impacts including:

  • business operations disruption
  • the need to disclose where personal data was affected
  • costs associated with incident response and recovery
  • reputational damage

The range of possible organisational impacts ranges from minimal, to a crippling attack and possible information theft, as well as loss of service. Managing this risk requires strong leadership, with senior managers working in concert with technical teams to initially understand their organisation’s exposure, and then to take appropriate actions. These will be specific to your organisation, so working with and supporting local subject matter experts is essential.

 

What should boards be asking of IT teams?

Medium to large size organisations with dedicated IT teams should consider the following questions.

         1. Who is leading on our response?

Log4shell is a critical incident that justifies a ‘tiger team’ of staff to address it. There should be a designated person leading the organisation’s response.

2. What is our plan?

Currently, most organisations will be responding to software found to be vulnerable, or to cyber attacks. There will likely be a migration to a more methodical approach which first identifies how the organisation is affected and then rectifies any problems found. Large organisations and enterprises will need a phased approach to manage this issue over many weeks or months, with teams able to sustain a response over the medium term.

3. How will we know if we’re being attacked and can we respond?

Whilst lots of researchers are trying to detect issues on the internet, attackers are also working to exploit the vulnerability. Would your teams know if your organisation was being targeted, and be ready for an at-scale response?

4. What percentage visibility of our software/servers do we have?

Teams are hopefully trying to find instances of software, and of Log4j itself. This task will be easier on corporately-managed assets, but less so on unmanaged assets.

5. How are we addressing shadow IT/appliances?

As well as fixing corporately-managed assets, teams need to be thinking about how they will discover things that may have slipped through the net and are not centrally managed (often called ‘shadow IT’).

6. Do we know if key providers are covering themselves?

If your organisation is dependent on any particularly key suppliers (such as crucial software that runs your business, or a 3rd party with remote admin access to your organisation), you should have an open and honest conversation with them, acknowledging that they will also be trying to understand the severity of the issue.

7. Does anyone in our organisation develop Java code?

What is their plan for finding out if we are affected? Larger organisations may be producing Java code for internal use or as products (Log4j is frequently used in enterprise Java software). Java developers may have legitimately used Log4j, so it’s important to ensure that any software written is not vulnerable.

8. How will people report issues they find to us?

Many cyber security researchers are trying to detect vulnerable software. If they find something on your estate, can they contact you easily (for example, via a vulnerability disclosure process)?

9. When did we last check our business continuity plans (BCP) and crisis response?

Verify your organisation’s end-to-end BCP and crisis response processes to minimise real world impact to the organisation should an attack be successful.

10. How are we preventing teams from burning out?

Remediating this issue is likely to take weeks, or months for larger organisations. The combination of an ever evolving situation (and the potential for severe impacts) can lead to burnout in defenders, if they’re not supported by leadership.

 

As the situation evolves, we expect attacks to become more targeted. Ransomware groups may look to use Log4Shell as a method of illicit entry into organisations. Once access is secured, threat actors will then look to obtain further access in order to be able to ransom the whole organisation in a highly impactful way.

 

Reference:

https://www.ncsc.gov.uk/

Post a Comment