Do I need to do anything about Log4J? Advice for small business owners
Log4J, you’ve probably heard about it, but what is it and as a business owner, do you need to act?
Every few years or so, a critical security weakness takes the world by storm. The previous one you may have heard of was dubbed ‘Wannacry’. It took the NHS down as well as thousands of UK and global businesses. Log4J (also known as Log4Shell) is one of those critical security weaknesses which impacts a significant amount of the internet’s websites, services and infrastructure. In this article we will skip the technical details and jump to why it’s important to act, and what actions you can take.
Why is Log4J critical?
Critical security weaknesses such as Log4J and Wannacry have a few things in common:
1. They are trivial for cyber criminals to take advantage of; no sophisticated tools or expert knowledge is needed.
2. They can be exploited without said criminals needing any type of permissions such as an administrator account on your website.
3. The impact of an exploitation can be extremely high.
“Log4J is akin to someone figuring out that mailing a letter into your postbox, with a specific address written on it, allows them to open all your doors in your house.”
What impact could it have upon your business?
If your business runs a website, an online service or provides digital products, you may need to act. By not acting, you could be leaving your digital business open to exploitation from cyber criminals. For example, they could exploit your website and point your customers to malicious websites. Or, they could take your digital business offline and ask you for a ransom. Log4J is already being exploited and it has been evidenced as being exploited one full week before the critical weakness was even made public.
The US Federal Trade Commission have even suggested US firms could face legal repercussions if they do not act to secure customer data against the Log4J weakness.
What to do about it?
If you ascertained there could be impact to your business, ask your website/IT provider/suppliers what they are doing about Log4J. You can check your own website by using a free Log4J test provided by the ethical security research community. You simply copy and paste the generated characters into text field on a website you own, such as enquiry form boxes, search fields, login boxes such as username etc. You can then use the link provided by the test site to see if your website is impacted. If it is impacted, get in touch with your website provider or a security firm to seek guidance. It may have already been compromised.
If the above tool is too technical, Kloudwerk’s free website security check includes a test for Log4J. Simply fill out the form and we will get back to you within 48 hours, advising if there are any serious problems with your site and what to do about it.
For a list of questions to ask your website provider or any technology suppliers, you can create a free account with Security-Scorecard and send up to 5 questionnaires using their Atlas questionnaire tool. Ultimately, any impacted websites, services or providers need to update their systems using Log4J to version 2.17.0 in order to patch up the critical weakness which exists in earlier versions. More info can be found on the Apache Log4J site here.
If you don’t already have a technical expert you can refer to, Kloudwerk would be happy to help you ascertain if you need to act, and guide you through the process. If you think your business may have already been impacted by this, ensure you get in touch with us or another expert.
Kloudwerk works with you to help you keep the cyber criminals out. We offer affordable cyber security consultancy packages for business customers. Please visit our Cyber Consultancy page for more information