The FTC Wants Companies to Find Log4j Fast. It Won't Be So Easy
January 10, 2022
On December 9, when the Apache Software Foundation disclosed a massive vulnerability in Log4j, its Java logging library, it triggered a cat-and-mouse game as IT professionals raced to secure their systems against cybercriminals looking to exploit a huge, now-known, issue. Among them were clients of George Glass, head of threat intelligence at governance and risk company Kroll. "Certain companies we spoke to knew there were applications that were impacted," he says. The problem? They didn't have access to them. "Maybe it's a SaaS platform or it's hosted somewhere else," he says. They weren't able to patch the Log4j binary itself, and instead faced a tricky decision: Turn off that specific application and stop using it, potentially refiguring their entire IT infrastructure, or take the risk that the third-party fix would come quicker than the state-sponsored and private hackers trying to take advantage.
At the same time as cybersecurity experts were trying to figure out their exposure to the problem, they were hit with successive warnings compelling them to act more quickly. First, the US Cybersecurity and Infrastructure Security Agency (CISA) set federal agencies a deadline of Christmas Eve to root out whether they used Log4j in their systems, and patch it. CISA director Jen Easterly said that it was the most serious vulnerability she'd seen in her career.
Today's job picks Workplace Technology Manager Starling Bank Technology Client Engineer Oracle
Get the latest issue of WIRED
Read about Sir David Attenborough's return to the field, and his mission to save our planet.
Also in this issue...
Unsubscribe | View this email in your browser |
Commentaires
Enregistrer un commentaire
Thank you to leave a comment on my site