QUESTION
I hate to be
the bearer of bad tidings right before Christmas, but I would like you to put
my question on top of the others since this concerns a worst-case scenario of
cybersecurity and ransomware. I am with a large regional mortgage lender, and I
am the company’s CISO.
On December 20th, The Washington Post reported that a new bug was discovered called “log4j.” It was found on December 9th. This is like the mother of all computer bugs!
The article says that cloud storage companies such as Google, Amazon, and Microsoft – companies that provide the digital backbone for millions of other apps – are affected. Giant software sellers are affected, too, such as IBM, Oracle, and Salesforce. And, devices that connect to the Internet (i.e., TVs and security cameras) have been hit. Hackers can get into digital spaces and steal information or plant malicious software. This bug is virtually everywhere and affects billions of computers.
We anticipate that ransomware attackers will now have a new way to break into computer networks and freeze out their owners. I really think you should put back up the links to your Ransomware policies and checklists.
Banks or mortgage companies, big and small, accepting cryptocurrencies are also affected because they will be targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and exposing their sensitive information.
My question is, Would you provide your readership with information from the government agency that monitors and advises the public about this threat?
ANSWER
Thank you for your timely question. Given the urgency, I have prioritized it for a response. I am grateful that you have contacted us to assist in making our readership aware of this immense computer threat.
The computer bug, “log4j,” allows hackers to access deep into systems, cutting past all the typical defenses software companies use to block attacks.
The article you cite is "The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know." It was published in The Washington Post on December 20th.
The article quotes Jen Easterly, the Director of U.S. Cybersecurity and Infrastructure Security Agency, saying, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” You can watch Director Easterly’s interview HERE.
According to the article, “The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.”
Because you are the Chief Information Security Officer (CISO), the remit of your undertaking is to implement the information security program, which includes the requirements to protect system assets from internal and external threats.
The CISO has a direct responsibility to maintain the company’s security posture, which is a different task than required of the Chief Information Officer (CIO), a position that involves oversight and managing the overall systems. The CISO and CIO work together. The former is engaged in the hands-on, precise application of cybersecurity initiatives. The latter maintains the overall system comprehensiveness and usually reports to top management and the board of directors.
As of today’s date, the bug is careening through millions of computers and degrading millions of enterprise systems and Cloud services. You mentioned the threat of ransomware attacks. Indeed, I have written extensively about them as well as cybersecurity. You can read some of my posts, such as:
- Ransomware Payments;
- Large Bank Cybersecurity Challenges;
- Phishing Scams; and
- Intrusion Detection Terms.
I have published articles and White Papers on cybersecurity guidelines, one of which concerns the cybersecurity guidelines promulgated by the New York Department of Financial Services (DFS). The regulation took effect on March 1, 2017, continuously updated. The DFS has provided a model for cybersecurity guidelines in many state banking departments. For an overview, I suggest you download my article Cybersecurity Guidelines - "First-In-The-Nation" Regulation. Consider implementing similar requirements.
We provide a free Ransomware checklist. We also offer an exceptional and reasonably priced policies and procedures for Ransomware as well as Cybersecurity For more information, visit our website.
Short of letting the engineers figure out how to stop the bug, people can take several precautions, such as avoiding phishing emails that trick you into clicking a link or opening an attachment. This new bug vulnerability means that computers will be hit with many such messages as hackers plant malicious code before the computer gets a corrective patch. Also, be sure that the computer’s operating system and apps are updated.
The government agency monitoring the log4j bug is the Cybersecurity and Infrastructure Security Agency (CISA). CISA as published Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability.
The agency has a continuously updated and highly technical log4j webpage. However, the webpage does provide an Additional Resources section which provides helpful guidance, such as CISA’s Cyber Essentials.
I suggest that senior management review Questions Every CEO Should Ask About Cyber Risks.
Also, I recommend FFIEC's Information Security Booklet, in the Information Technology Examination Handbook. Amongst the many tools provided by FFIEC, the Cybersecurity Assessment Tool helps to identify cyber-risks and determine cybersecurity preparedness.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing DirectorLenders Compliance Group