In a recent post, the Federal Trade Commission warns of potential legal consequences for organizations who do not "mitigate known software vulnerabilities". Due to the fallout of the recent Log4j exploits, it was noted that the vulnerability poses a severe risk to millions of consumer products to enterprise software and web applications, and the failure to take action/mitigation could be considered an FTC violation.
Citing the FTC and Gramm Leach Bliley Act (GLBA) as part of the laws implicating the "duty to take reasonable steps", the statement has many organizations concerned about how to move forward and protect data with future vulnerabilities.
While some may consider this statement as a first step to being proactive, the actions also speak to the significance of cybersecurity posture and the onus on businesses in cybersecurity.
Updating Log4j software package to the most current version
Consulting CISA guidance to mitigate this vulnerability
Ensuring remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act
Distributing the information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable
Though it may appear as such, achieving and completing the recommended steps of updating, mitigation, and remediation does not have to be a daunting task for organizations.
1. UPDATING & MONITORING
Ensuring that all systems are patched, and security solutions are up to date is one of the first steps organizations may need to take. Updating to the latest Log4j software package is of course crucial, but this can also be a step in direction of the mindset for overall cybersecurity posture. The prevention of unknown and unwanted change via real-time monitoring is the end goal of cyber hygiene and cybersecurity practices.
Vendor risk management is often overlooked; however, making sure security solutions are current/up-to-date can be accomplished with a file integrity monitoring tool. Additionally, the FIM software utilized should ensure System Integrity Assurance, providing organizations the ability to identify malware and threats seconds after a system is attacked. This allows for the proactive, preventative approach, one that stops the exploits at the source.
The CISA guidance for the Log4j vulnerability is crucial for organizations to recover and move forward with securing risk. Additionally, continuous visibility and control of configuration management is the crux of risk mitigation. Configuring and working from a trusted baseline is pivotal as many begin with this proactive process.
Trusted baselines are not limited to just configuration settings as they also include assets and file hashes. File integrity monitoring software should leverage best practices and authoritative sources such as STIGs and CIS Benchmarks to establish a known and trusted baseline. Additionally, the FIM software should be able to restore to the trusted baseline at any point in time, providing System Integrity Assurance.
Ensuring remediation steps are taken by an organization so as to not violate FTC practices is not to be taken lightly. Though the below is an excerpt of the GLBA Safeguards Rule regarding the comprehensive infosec program needed, the goal is clear — system integrity is at the crux of what is needed by organizations for safeguarding information.
"The GLBA Safeguards Rule must be designed to ensure the security and confidentiality of customer information, protect against anticipated threats to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in harm ..."
In order for organizations to be able to remediate risk and take preventive action against potential exploits, keeping systems secure is key.
Understanding when the state of assets within an IT infrastructure has changed is not impossible, as this is just the integrity of the assets. CimTrak helps organizations stabilize and ensure that the integrity of their assets has not changed over time. This allows for the guarantee of the integrity of those assets, providing true mitigation of threats. Learn more about CimTrak and System Integrity Assurance today.
January 6, 2022