Over the next days and months you are likely to hear a lot about the ‘Log4J’ vulnerability (CVE-2021-45046).
The problem is a vulnerability in a software product called Apache, which is hidden away inside many other programs and online services. Criminals are using this vulnerability now, and are likely to ramp up their ability to run mass exploitation campaigns over the next few weeks.
What could a criminal do if they find a Log4 hole in your network?
Unfortunately, quite a lot. The vulnerability allows them to upload their attack software of choice to your network. This would permit them to install ransomware, but also do things like delete backups, copy all your data or watch transactions as they unfold.
So what can be done about it?
Each software and service provider will need to work out their exposure to the problem and release a patch. Each of these will need to be applied to all devices with access to your client data as soon as they are available. It is important to note that any unpatched software will potentially leave an opening to the whole network, not just the data accessed by that program.
This included laptops at home with staff over the holidays.
Firms will need to:
- Contact your IT provider and ask for specific advice about the vulnerability of your network.
- Keep an eye out for advice from your software suppliers advising of critical updates.
- Work out a remediation program, and how you will ensure devices which are away from your premises will be updated. Depending on your network, this might need to be done manually at set times or might be more automatic. Staff will need to know they are NOT to use devices until your scheduled updates have run.
- External IT providers are likely to be very busy, so firm owners should keep an overview of what needs to be done. If you don’t have a relationship with a regular IT provider, it is time to find one.
- Multiple updates may be required and advice may change as the situation unfolds. Tools to scan your entire system for vulnerability are being developed. Ask your IT provider to let you know if that becomes available.
- As a general rule, the less software that is on a device the less vulnerable it will be. Consider uninstalling unused programs.
- Be especially vigilant about funds transfers for the next few months. Remember that an email might be forged, even if it comes from inside your firm.
- Ensure you have a recovery and remediation plan in place:
- Do you have comprehensive backups? (At least one copy should be taken completely offline periodically. Make sure such copies are not left lying about or in vehicles, though. Backups should be encrypted and locked in a filing cabinet.)
- Do you have a few computers available as spares to communicate with the outside world if your network is taken down? Are these tested and software updated? Do you have all the passwords you need to access cloud services? How will you communicate with clients if your databases crash?
Check that you are covered by the QLS CyberEssentials insurance program. Check the eligibility requirements.