NASCUS offers resources for dealing with Log4j vulnerability

(Dec. 23, 2021) The revelation of the “log4j” computer vulnerability made headlines this week, and NASCUS followed up by posting on its cybersecurity alerts and responses web pages guidance from federal agencies on how to protect against exploitations of the weakness.

Late last week, the federal CyberSecutiry & Infrastructure Security Agency (CISA) released a directive ordering federal civilian executive branch agencies to address vulnerabilities of log4j, a component widely used in Java scriptwriting for computer routines, including on websites and in applications. The component holds a “critical remote code execution” (RCE) vulnerability that computer and network security officials have found is being exploited by hackers. CISA described the hacks as “active, widespread exploitation.”

Friday’s directive, according to CISA, requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately.

By the beginning of this week, news about the vulnerability was reported widely in the press, with some headlines stating the vulnerability could be the “most serious in decades.”

Federal civilian agencies have until Friday to complete patching for log4j, according to press reports.

But that may not be enough, according to cybersecurity experts, as by then hackers may have already found their way into systems using the code.

In the meantime, users are advised to be on the lookout for phishing emails (and many of them) – and NOT to click on any links. For example, in response to an email claiming that an account has been compromised or a package failed to deliver, a user should ensure first that an account actually exists with that company and the user was expecting an email. Then, the user should find a real customer service number or address online and reach out in either (or both) of those methods.

Additionally, updating systems and apps with patches provided by software developers is the best defense, according to security networks.

LINK:

NASCUS Cybersecurity Alerts & Resources: Apache Log4j Vulnerability Guidance

Related topics: , ,

Related News

TransUnion Report: 2024 State of Omnichannel Fraud

Trends and insights for enabling trusted commerce Global digital transaction growth following the pandemic pushed fraud to new heights in 2023. Identity-based fraud is accelerating as cybercriminals harvest more stolen…

News Klarna to launch credit card offering in the US “over the next few months”

Following successful debuts in Europe, Swedish buy now, pay later (BNPL) firm Klarna is now preparing to extend its credit card offering to consumers in the US. Klarna Card to launch in…

CFPB Takes Action to Stop Illegal Junk Fees in Mortgage Servicing

Homeowners forced to pay for “services” that were prohibited or unauthorized. The Consumer Financial Protection Bureau (CFPB) today published an edition of Supervisory Highlights describing the agency’s actions to combat junk fees…