In late December, a flaw in software that is ubiquitous around the world was reported, and it sent cybersecurity pros into a frenzy and turned the hairs of technology pros gray. There are countless articles about this vulnerability, so I am not going to go deep into the technology of what occurs. Here is what is important for us in the AV world to know about: Log4j.
Log4j is a piece of Java code that programmers stick into software in order to log what commands are being issued, and they can use this information to troubleshoot. The problem is that Log4j is willing to run any code it is given and can be forced to run the command by a specifically configured URL sent to it. The Log4j vulnerability is considered by many to be one of the most severe vulnerabilities they have ever seen. There is no exact estimate, but guesses are that it is used in millions of products around the world. Additionally, exploiting the vulnerability is actually quite easy. A simple google search will help even the non-hackers of the world develop the string to run malicious code.
AV (which, as we all know, is a subset of the IT industry) has come a long way in the past couple of years in thinking about security. Five or so years ago, many took the stance that if something is only AV, why would anyone want to hack into it? In today’s environment, that is different — firms consider it differently. When the above vulnerability made the news, our AV team was invited into the incident response team to evaluate whether our equipment was susceptible to this vulnerability. This caused a big change in how AV is viewed by the larger umbrella, IT.
Unfortunately, we were not able to help right away because as we researched various manufacturers we use, they provided absolutely no information on whether their products had any vulnerabilities. The more I searched for this, the more amazed I became at the complete lack of information that manufacturers were providing. After searching from the dozen or so manufacturers that are connected to our network, I found only two (still true in late December as I write this) that listed anything on their websites about Log4j. Honestly, that is inexcusable. Even if a manufacturer knows there is no issue (they never used Log4j), they should be publishing that information.
I have a few recommendations for manufacturers/developers and for an integration firm. Every manufacturer/developer should immediately develop an area on their website dedicated to security. They also should hire or assign someone in the business to be the security communication person. This person would be responsible for sharing security information with customers. The website should include any information about potential security breaches, suggestions for keeping their equipment secure and links to firmware updates or patches. Manufacturers need to consider themselves part of the IT world, and when there are concerns like Log4j, they need to address them — even if not impacted.
For other entities, such as reporters, integrators or others, there is an enormous business opportunity here. Even if manufacturers do start with n what I suggested above, there are still hundreds of websites people need to visit. What if some entity became the AV security resource? Amazingly, the best resource AV pros had during this Log4j breach was a channel on reddit! Why is there not a service that we can subscribe to that lets us review all the various companies and their responses to breaches in one place?
Along with giving information out to customers of various equipment, such a service would also pressure AV companies to be serious about security. They would not want to be the only one listed as having no information available. Along with information about what equipment may be vulnerable, this service could provide general information about security breaches, what the likely method of attack would be, risk potential for different sectors and mediation tactics. All of this could be done for an annual subscription fee.
When you develop a resource that is valuable to the community and lucrative to your company — which this would be — you surely have a winning product.