May Contain Traces of Log4j: Risk Management Strategies for Tech Firms
January 25, 2022
It’s only been a month and experts are already calling the Log4j vulnerability one of the greatest security disasters of our time. Given the prevalence of Log4j software, it’s impossible to know just how widespread the effects will be—millions of websites, systems, and servers could be at risk.
As a Tech Leader, your firms’ defences might already be top-notch. But even if you’ve patched your systems, there’s still a possibility hackers have already infiltrated your network and left malware for future attacks. And between service outages, legal woes, and reputational harm, the fallout from a major privacy breach or ransomware infection could easily cripple your business. Without an adequate cyber risk management strategy, you might never fully recover.
Response protocols will remain in flux as the situation evolves. For now, the best course of action is to correct the vulnerabilities we know about and prepare for the challenges that lie ahead. After all, remediation is an ongoing process; patching is only the first step. To help you out, we’ve put together the best practices for tech firms to minimize operational disruptions and improve organizational resilience throughout the Log4j crisis.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
How will the Log4j crisis affect your insurance?
It’s too early to tell how insurance companies will respond to the Log4j crisis, but the heightened cyber risk introduced by these security flaws might make it even harder for you to qualify for insurance, especially if your firm is heavily reliant on the Log4j code.
Here’s why: it’s likely that the security flaws in the Log4j software will lead to an upswing in ransomware events. But after years of mounting breach costs, insurance companies have become increasingly wary of how much risk they can take on. As a result, they’re now restricting coverage, raising premiums, and enforcing baseline cybersecurity controls for businesses before they can obtain Cyber Insurance. To learn more about the requirements, click here.
As a tech firm, we know you have security under tight leash. In fact, your baseline controls might even exceed insurance companies’ requirements. But use of Log4j might increase your risk profile to insurance companies. Much like the breach of Microsoft Exchange servers last year, some insurance companies may grant coverage but opt to exclude any claims related to Microsoft Exchange, while others may elect to deny coverage to organizations entirely.
PRO Tips for Cyber Risk Management:
Whether they build it or purchase it, everyone uses software—and that means everyone is vulnerable to some extent here. And despite the security flaws, most salespeople will insist their software is clean no matter what. Even worse? Vendor assessments don’t usually include protocols for measuring software vulnerabilities in their programs so it’ll be tricky to identify whether or not systems are even compromised.
In this day and age, you’ll need more than good security to protect your firm; you’ll need new ways of prioritizing and mitigating cyber threats and a more proactively vigilant stance toward risk management to become truly resilient to attack. The tips below can help you get started.
1. Patch your systems immediately.
To offset these challenges, collaborate with your IT teams to determine your levels of exposure, identify affected assets, and apply security patches to all software, particularly those that are Internet-facing or used by other clients; this is critical if anyone in your organization develops Java code. Be sure to seek vendor guidance on appropriate mitigations as needed. Monitor your systems continuously for evidence of exploitation or compromise. Report any instances of exploitation to the Canadian Centre for Cyber Security (CCCS) and notify all affected parties.
For more technical guidance, please consult the following resources:
CISE Security: Log4j Zero-Day Vulnerability Response
Cybersecurity Infrastructure and Security Agency (CISA): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2. Develop a long-term strategy.
Work towards a long-term strategy that will help you protect your organization comprehensively. According to the UK’s National Cyber Security Centre, all business leaders should be thinking about:
How to assess organizational exposure and detect cyber threats;
Protocols to improve visibility across all software and servers;
How to mitigate the risks of working with third-party service providers;
How to build a cyber-aware workforce;
Breach reporting and notification measures;
Formal incident response, remediation, and business continuity plans to limit impact; and
How to support IT teams and staff throughout the duration of this crisis.
The sooner you can establish a plan, the sooner you can act at the first sign of compromise.
3. Bolster your cyber hygiene.
Implement proper security tools to limit the chances or extent of a breach. The right safeguards for each company will vary, but, at minimum, every organization should:
Run a detailed audit of all applications, websites, systems, and backups. Prioritize those that contain sensitive information, like client data or login credentials.
If needed, assign additional staff to review logging data.
Install a Web Application Firewall (WAF) to block malicious activity. If you’re already using one, add specific rules that apply to Log4j.
Strengthen your endpoint detection and response (EDR) solutions to monitor for Log4j exploitation, malware, or any kind of suspicious behaviour on all systems and devices.
Encrypt all confidential data-in-transit and at-rest.
Ensure that your end-to-end antivirus and malware scanning begins at the endpoint and extends to any local network and cloud applications.
If you haven’t yet, deploy multi-factor authentication (MFA) on all business-critical services, including corporate email accounts, VPNs, financial accounts, and any other endpoint where sensitive information is stored or transmitted.
Retire any software or firmware that is no longer supported by the vendor (like Windows 7 or Internet Explorer) since there won’t be any future security patches or updates coming.
Limit external network connections to trusted hosts and networks for the time being.
Monitor all internal activity. Enforce the principle of least privilege and remove unnecessary accounts and groups.
4. Improve user education.
Continuous patching is more important than ever. Ensure all employees, especially those working remotely, regularly update their personal devices and routers, which are easy entry points for cybercriminals to access corporate networks. All employees should understand the role they play in breach prevention and undergo regular security awareness training on:
How to handle sensitive data and use software safely;
What cyber threats your organization faces and how to detect them; and
How to recognize and report signs of a data breach.
5. Keep records.
Keep a detailed inventory of all systems under investigation and how they are patched throughout the remediation process. Why? Threat actors may infiltrate a program and then patch it to cover their tracks. In the event of a breach, network and system documentation will help to identify which assets have been compromised.
Additionally, work with your IT experts to create a Software Bill of Materials (SBOM) for all existing software and any new products your organization develops or implements. An SBOM is a formal list of all components, embedded code, protocols, among other details, in a given program and will highlight your exposure to Log4j, or any other new vulnerabilities that may arise going forward. SBOM usage is already a requirement in the US and will likely become a common practice everywhere else. For more information on how to create an SBOM, click here.
6. Reach out to your third-parties.
Cybercriminals could easily access your network through a gap in the supply chain so be sure to assess the security of all third-party vendors and service providers your organization partners with. Ask all vendors about their exposure levels and response efforts. If needed, work with them to determine impact and monitor the situation. If your vendors are unable to apply security patches in a timely manner, consider disabling the systems that use Log4j until updates are made.
Going forward, re-evaluate your vendor relationships and make sure they’re in line with your organization’s cyber risk management plan. All third-parties with access to your network should operate with least privilege and have cybersecurity measures in place that are at least as good as your own. Perform annual audits to validate that these standards are upheld.
7. Support your IT staff.
After two years of dealing with remote work transitions and troubleshooting, IT teams are exhausted. Between the stress of the pandemic and Log4j remediation now, technical staff may be feeling overworked and burned out, especially if they’re not being adequately supported by senior management.
We know the Log4j flaws will keep your IT teams busy for the foreseeable future, but be careful not to neglect your staff’s needs during this time. Instead, try to lead with compassion and transparency. Communicate openly and collaborate with staff to come up with a reasonable timeline for execution. Set clear expectations, but ensure your team has the space and flexibility they need to rest and recover.
8. Be vigilant.
Don’t get complacent. Even if the coast is clear, keep reassessing your environment as new information becomes available. Maintain a regular patch process and continue to monitor your networks and servers for suspicious activity. This way you can detect and stay on top of intrusions as they unfold.
9. Invest in Cyber Insurance.
Cybersecurity is critical for breach prevention and detection, but insurance can help you get ahead of a crisis without losing business momentum or taking a massive reputational hit. And although insurance companies have reduced their coverages for ransomware attacks, a Cyber Insurance policy can still cover other expenses in the event of data theft, including legal fees, defence costs, damages, and more. Plus, a comprehensive policy also help you access:
Funds for legal expenses and third-party damages;
An IT forensic investigations team to help you determine the size and scope of the breach;
A breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report, how, and when;
Funds to set up credit monitoring and client notification for affected parties; and,
A team of PR consultants to help you manage reputational damage.
10. Consult with a risk advisor that specializes in the technology sector.
For more guidance on this rapidly evolving situation, connect with PROLINK. With nearly 40 years of experience and over a decade of serving technology firms, a licensed broker like PROLINK can help you navigate industry trends, adopt a proactive approach to risk management, and become resilient in the face of attack.
Our dedicated team of risk advisors will:
Provide you with a panoramic view of your business landscape;
Help you stay on top of emerging risks and unique threats that could affect your organization;
Share what steps others in your industry are taking and advise you accordingly;
Leverage our risk management and insurance solutions to help you retake control and meet your strategic objectives.
To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.