Last Friday, a new software vulnerability with far-reaching implications was found being actively exploited in the wild. This vulnerability, dubbed "Log4Shell", affects a huge number of companies and applications and has sent many of them scrambling for answers.
The story so far
First the technical nitty-gritty: Last Friday, a major exploit in a Java library named "Log4J" was discovered being actively used by attackers in the wild. Log4J is a library used in a huge number of Java applications by developers to find bugs and issues within those programs. This vulnerability, when exploited, can allow unwarranted access to the system and potentially a company network as a whole.
But wait... there's more!
Most larger software companies which provide software affected by this exploit began releasing patches by Tuesday morning. Unfortunately, the fix didn't last long as attackers had found ways around the published fixes by Wednesday morning. As of writing this, some companies have re-published new fixes (which may or may not last) while others are still vulnerable.
Any company that uses either a Java-based program or a program which uses elements of Java may be at risk. This may also include your cloud-based software providers as well. There are countless companies who use Java-based programs as part of their digital tool stack. CISA, the Cybersecurity Infrastructure & Security Agency, has released a large but incomplete list of known-affected applications.
The need for a proactive approach to security
Log4Shell is the latest in a line of major exploits to have surfaced and presented a threat to businesses around the globe. But more than anything, this particular exploit highlights the fact it's no longer enough to just use a reactive approach to IT security. It's not enough anymore to slap a copy of Norton on every machine and install a new firewall every 3-5 years.
Instead, it's time to start taking a proactive approach to things, and that doesn't just mean applying patches whenever they're released. It means to pay more mind to the risk associated with the digital tools and technology your company uses. To develop and maintain a response plan for breaches or other problem events. Today, business is technology, and technology risk is business risk and needs to be treated as such, no matter the size of your organization.
Put it on paper
Last time I wrote about including IT in your 2022 business plan. Things like Log4Shell is exactly why you do that. The risk is there, it's time to act. If you're putting together a list of new years resolutions for your company, put proactive IT security at the top of your list. Your future self will thank you for it.