(reading time: 3 minutes)
The timing of hackers: why Log4J may well lead to a dark Christmas
Two years ago, the management of Maastricht University received a call, shortly before Christmas dinner. It turned out that the University had been the victim of a ransomware attack, which caused the network infrastructure to go down and things like theses, exams, teaching schedules and applications to suddenly become unavailable.
The continuity of the university was at stake and the university ultimately chose to pay the attackers so that it could access its data again. But it didn’t stop there; remedial work in the following weeks cost another 1 million euros.
Log4j: calm before the storm?
The hackers’ timing is not coincidental. Statistically, most hacks take place at times when it is known that staffing levels at companies and organizations are low, such as at weekends and during vacations. Hackers also know that fewer staff are present, and less attention is paid to them. Just like regular burglars.
In that respect, the announcement of the log4j vulnerability this week is bad news. The Department of Homeland Security in the US called it the largest, most critical software vulnerability of the past decade.
The library is really in everything, although companies often lack insight into where exactly. The alarm has already been raised on a large scale, since this vulnerability is widespread, relatively easy to exploit, and gives remote control over a system.
There is a clear pattern in the behavior of hackers. Since the vulnerability was discovered, there has been widespread scanning worldwide. By means of scans these malicious parties establish which systems on the Internet are vulnerable. At the same time, they make sure to keep future attacks under the radar as much as possible.
There are legions of impact scenarios that organizations can fall victim to, and this is different for every organization. It ranges from Nation State and Advanced Persistent Threats (APT) to stealing classified information. However, ransomware is a threat that almost everyone should be concerned about. The log4j vulnerability, in its overall magnitude, is going to cause a lot of headaches in the coming months and possibly even years.
This means that for many IT departments, the dark days before Christmas will be extra dark this year.
However, there is also a bit of a calm before the storm: we can expect the real problems to appear between Christmas and New Year’s Eve. Hackers don’t care about the Christmas spirit … or perhaps give it their own meaning!
(Lack of) insight
Every company can become the victim of a security incident, but few companies know to what extent they are at risk. They are also unable to regularly measure security hygiene to get an indicator of this and whether basic measures such as updates, back-ups and security awareness of their employees are in order.
This lack of insight leads to companies not knowing what security investments to make and how effective they are, it is unclear who is responsible for what, and in the worst case, companies lose important data, which can result in direct customer loss.
To better manage Information Security and continuity of your business, you require continuous insight. Continuous insight into your vulnerability management, security responsibilities and end-user awareness, but also into your threat profile and business continuity.
By continuously optimizing these processes in your company, and regularly reporting metrics within an insight framework, security becomes an integral part of your business operations and the accountability for it is widely supported.
In the future, this will make situations like log4j more understandable and manageable within your organization.
We wish everyone a peaceful Christmas and best wishes for the New Year. If you have new year’s resolutions for 2022, we hope that continuous security insight is on your list.
On behalf of Soapbox Security,