FTC to Pursue Companies That Don’t Mitigate Log4j Risk

The Federal Trade Commission yesterday issued a warning that it will pursue companies that do not take the what they are calling reasonable steps to protect customers from data exposure resulting from Log4J vulnerabilities.

J.J. Guy, co-founder and CEO, Sevco Security weighed in on the FTC's announcement:

“One of the most challenging aspects of responding to the log4j vulnerability is simply identifying the devices in an organization where log4j is used. Since it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact. Even worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to log4shell.

We are in the middle of the triage phase now, where basic tools like systems management or software management tools to check for the file on disk can provide initial triage. However, for organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage. Reporting the ‘pending triage’ statistic requires a complete asset inventory, including which machines have been successfully triaged. This will be one of the larger hidden challenges in every organization’s response because few have a comprehensive asset inventory, despite the fact it has been a top requirement in every security compliance program for decades.”