Log4j vulnerabilities have recently attracted widespread attention from all walks of life, and the financial industry is no exception.
Recently, SC Media Published discussion With the senior bank executives of Texas Capital Bank and American Finance and Cybereason, a cyber security provider.Many financial services organizations (FSI) recognize Log 4j It is the gift that will continue to be given this holiday in the coming weeks. Therefore, industry experts have many opinions on how FSI will work to mitigate the damage of this near-term threat and its predictions for the future.
Gary McCallum, currently at Board of Directors The former Chief Information Security Officer (CISO) of TAG Cyber Open source is so common.”
“For the financial sector, this is a particularly serious problem,” McCallum said. “And I won’t say there is room for overconfidence.” FSIs of all sizes should implement incident response plans to mitigate potential risks Impact of Log4j, Please keep in mind that this network incident may have a ripple effect through third-party and fifth-party providers. “There is an environment of overlapping controls… which means [IT security professionals] They need to be methodical and focus a lot of their attention here. “
“The most difficult thing is to go through a complex supply chain,” McAlum said, adding that financial regulators will also call on FSI as they go through this process to seek updates and look for potential risks and mitigation actions.
“The financial sector responded well, quickly and focused, and understood [Log4j]Most of the time, when such news comes, it is not the first time that financial institutions have heard of it,” he added. “They obtain data on vulnerabilities from various sources. “
“When it boarded CNN, most of the FSI’s wheels were already spinning,” McAlum said.
Nick Santora, CEO of Curricula, an IT security awareness training service, noted, “Log4j gets a lot of attention, Because this is the first time a vulnerability of this scale has been exposed. This is the latest and greatest product that affects many industries. “
He added: “This is another incident that shows how unprepared most organizations are when an incident like Log4j occurs.”
Santora, who has worked in the protection of critical infrastructure in the U.S. federal government for ten years, pointed out that “Log4j has affected many traditional industries that rely on Java.”
“Most of the affected organizations are on legacy systems. This includes financial services, the energy sector, transportation-all Classified as critical infrastructure by CISA,” Santora said. “Ironically, when a patch is introduced Log 4j, It exposed another loophole. If you are running a complex system, you cannot directly apply patches like band-aids, nor can you shut down the system like restarting the machine. “
So, what should financial institutions do in the face of this overwhelming cyber threat?
“You need to have a planned maintenance process that includes analyzing the affected systems, testing them in a non-production environment, and then planning an outage to roll out the patch. If all this does not go as planned, then there is a way to Return them all,” Santora said. “So when things like Log4j happen, most companies have no plans to do what they are going to do. They have to shut down the services they provide to make sure they can patch it correctly. This is critical to the organization’s mission-critical and underlying legacy systems. It’s not easy to say.”
Santora acknowledged that since critical infrastructure is not covered by a single compliance framework in terms of patch management processes, formal incident response and patch management processes may be more complicated for FSI.
“Log4j is distributed in a range of industries, some of which are not regulated by patch management, and have never had to deal with such a large-scale thing to shut down all systems to update it and fix vulnerabilities,” Santora said, adding that the incident was like Log4j Emphasize that FSI needs to develop an incident response plan that takes such incidents into account.
“There will now be more emphasis on building a community of trust among vendors because you want to know that your software provider is doing the right thing for network security. Cross-contamination between communities is a real problem,” Santora said. “We must build trust in the private sector and believe that we are all doing the right thing.”
