By Tony Zafiropoulos
Cybersecurity is not easy. Software and hardware are developed by humans, and are not perfect. And there are always humans who try to take advantage of the imperfections in order to attack. Thus, one should be aware of cybersecurity situations when building possible risk models for the year. What are you planning for this year? Are you planning for expansion or contraction? Trying to stay the same as before the pandemic started?
In the computer world, there is a unique back and forth happening. The “dance of researchers and criminals” describes the process of looking into vulnerabilities in software and hardware and is occurring at all times. Each group has plans for the new year.
The criminal is looking to make more money than last year. They have to try to create more mayhem with better malware (malicious software) and ransomware. At the same time, cyber researchers are interested in staying a step ahead of the criminals. Both groups are feverishly looking at programs that everyone uses in order to try to break them. Every so often, someone succeeds, and then the real race begins.
The book I wrote is an attempt to help people who may not believe that this topic is important. It is designed to get you started in risk management for your IT (information technology) assets. Did you know that you are supposed to do risk management for PCI compliance if you accept credit cards in your business?
LoG4J: New Vulnerabilities for the New Year
At the end of 2021 a new Log4J vulnerability was found. Once it was found, a number of pieces of software became vulnerable (even though no attacks were actively happening). Because the attacks were coming– and they did come only a few weeks later.
In the meantime, software companies that were paying attention updated their software and issued patches. Unfortunately, some companies do not pay attention or do not update their software. There is a cost to be paid by whoever has this now-vulnerable software. Criminals can exploit any new vulnerability.
If you are trying to defend your environment, the image above shows all of the tasks that have to happen before one is safe from vulnerable software. The vendor has to agree there is a problem, then develop a fix, implement the fix, and push it out to their customers. It is then your job to install the upgrade. Only after you install the patch successfully will you be safe from the vulnerability.
Will you defend your environment? Are you going to test your environment to see if your software or hardware is running Log4J? Log4J is deceptive in its use, as it is Java-based and runs a log management function. Thus, the software is not visible and is not obvious. Some Apache web servers may have it, for example. Hackers are working on successful exploits right now. If you hear something in the news, it will be too late.
The Dance of Researchers and Criminals
This complex environment is why many people just ignore cybersecurity risk management. You may be asking yourself– why does this matter to me?
Unfortunately, if you do not have a consistent policy and a concerted effort to ensure everything is updated, the risk of ransomware attacks increases. What happens when your IT department is on vacation or off for the holidays? Some servers require testing and rebooting to update, which means many hours of work. IT departments get burnt out if labor hours are not built to handle this pressure.
As you may know, risk is constantly increasing. In the meantime, everyone is attuned to ignore bad news. So, what happens? Nothing, yet everything. Nothing seems to be happening, and we think the environment is okay. But really, hackers are in your systems, and no one noticed.
If you are not actively working to clean up all the issues in your cybersecurity environment, hackers will get in eventually. Hackers have lots of money and resources, and are looking for opportunities everywhere. This kind of an adversary requires an environment that is tested consistently.
You may have not noticed, but hackers are getting the upper hand more and more. This is basic attack theory– it is always easier to make more attacks than to create defenses. Your IT department needs help to shore up risk management. And this is exactly where my book will help you.
The hacker/defender dance is discussed in more detail in my book. More strategies are revealed to give your IT department the tools they need to defend your environment. The vulnerability attack timeline is reviewed, as it is the crux of cybersecurity.
Hopefully, you will give your IT department resources, so that your IT people do not get burnt out. Remember, patching or upgrading computers systems that need to work 7 days/week, 24 hours/day and 365 days/year is a marathon and requires planning and a consistent system.
Tony Zafiropoulos is a CISA Certified Information Systems Auditor at FixVirus. To learn more, visit fixvirus.com.
About the Book
Too Late, You’re Hacked! – Defending Your Small Business’ Computers and Networks is written for small businesses with a limited understanding of IT (Information Technology) that encounter cybersecurity challenges. This book introduces critical IT terms and concepts in today’s complex digital age, and it is intended for owners or professionals handling their business’ IT department with narrow expertise.
To order Too Late, You’re Hacked!, click here.