Podcast: Log4j Vulnerability... Fake news?
The Log4j vulnerability has been blowing up this past week. James and Taylor break down why the news loves this story and if you should be worried. The team turned on the mic at Centre's holiday party to break down the latest bits that hit the fan.
All right, so in most of the breaches we hear about the news almost all of them are an actual outage. Somebody's actually hurt. In this case, it's a vulnerability that's known a patch is available and nobody's really been hurt by it. There were plenty that they received espionage threats from china from Russia I think Iran is- is threatening to do some ransomware from it, but no one's actually down. It's just a vulnerability. So why is everyone freaking out about it?
The next thing on- on my mind on this topic is if you've been to the internet and cemented some planted — cement? What's that word? Submitted! Submitted information on the internet with the intent to get back files or a webpage, it's likely apache software in the backend. Log4j, the logging software that's providing that data back to you. If it's taken over correctly by cyber-terrorist or bad actors then there's [an] even better chance that you're gonna wind up having someone take over your systems or read your information. So if you build your own software leveraging apache and not IIS or leveraging apache with logging software on it then there's a swell chance that you are indeed in danger of this but you're probably not currently at risk of something negative. Just patch it. Just need to patch it. [Do] you know what the patch is called? Log4j2.
Log4j 2 came out about a month ago. So, let's just pretend for a minute that we are hourly workers. If I were an hourly worker, I'd put my time clock in when I got in every day. When I left, my lunch break would be listed there. That's likely hosted by a company called Kronos. Have you heard of Kronos? [Has] anybody heard of Kronos before? We got a new guy at the table, he's being quiet, he's not raising his hand. Recently out of college, has not yet had to deal with Kronos. But, most of you veterans who are listening today, y'all know Kronos. Kronos is currently so impacted by it, they pulled their systems from the wall. They're down so they're telling people to prepare for our- for paper paychecks for all the people they support because they can't do it.
Think about if you use VMware. If you've got a firewall that's got a portal to it, that you get into or an internet system, odds are they use Apache, and Log4j's probably part of it. So if that was down, what would happen to your business? That's the big fear. It isn't the direct issue of having to patch apache in your environment, it's what happens when the systems that you rely on day in day out go down because of a product you've never heard of. Taylor, you wanna hear a funny joke?
Now, let's just say something did get past that just being a vulnerability. You're actually breached by it. Well, good news. If you have a proactive threat hunter it would have found that without a human element to it. Worst case if that failed then you could leverage your clean copy of data to get up and running.
Ariel, you just tapped me on the shoulder with some great knowledge. What did you just say?
Be a thought leader and share:Subscribe to Our Blog