Log4j is a Java-based logging utility that records activities in a wide range of systems found in potentially billions of devices worldwide. Recently, a new Log4j vulnerability has posed a huge risk to millions of consumer products, enterprise software and web applications. The director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA), calls it the most serious vulnerability she has seen in her decades-long career.
Align’s experts have consolidated the most salient points around the vulnerability below:
What you need to know:
- The vulnerability, named Log4Shell, has upended federal agencies and the infosec industry, putting hundreds of million devices and systems at risk.
- Log4j can allow even unsophisticated threat actors take remote control over the full range of devices ranging from consumer gaming devices to enterprise systems.
Notable Industry Developments:
- CISA released general guidance for vendors and affected organizations to immediately identify, mitigate and apply software updates.
- On Jan 4, the FTC warned companies to follow CISA’s guidance on Log4j to remediate the security vulnerability immediately or they may face “legal action.” The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from this exposure, or similar known vulnerabilities in the future.
- SEC updated its Cybersecurity Resources and referred registrants and investors to the CISA sit for guidance.
- On December 14, 202, FINRA released Regulatory Notice 21-42, “FINRA Alerts Firms to ‘Log4Shell’ Vulnerability to Apache Log4j Software”, reminding firms to have written policies and procedures that are reasonably designed to safeguard customer records and information according to the SEC Regulation S-P Rule 30, and providing a series of “Next Steps” to follow.
Key Takeaways From Align Experts:
- John Araneo Esq., Managing Director of Cybersecurity & General Counsel: Even if fund managers outsource their IT services, it does not mean they are immune from these risks and these types of vulnerabilities. That's why Align's Managed Services Platform treats cybersecurity compliance as a multi-factorial issue that requires a multi-disciplinary approach, technologically, operationally and on security and compliance levels."
- Vinod Paul, Chief Operating Officer: It seems the cybersecurity world was taken by surprise by the Log4j vulnerability, further demonstrating that there is no “silver bullet” against vulnerabilities and that, in fact, fund managers must leverage many layers of security to put themselves in the best cybersecurity posture.
- Alex Bazay, Chief Information Security Officer: It is imperative for every fund manager to understand its third-party providers and have an up-to-date catalog and inventory of all software packages in use. A robust vulnerability management lifecycle will help to identify and patch critical systems on timely matters and reduce the risk of potential compromise.
Align Cybersecurity™, Align's leading-edge cloud services and robust cybersecurity advisory practice, can help safeguard your business from these kinds of breaches. It assesses and addresses evolving cybersecurity threats, and allows our clients to create customizable solutions that mitigate risk and compliance burdens while empowering secure, agile, mission-critical services.