A warning to companies from the Federal Trade Commission (FTC) to fix a “serious vulnerability” in the Java logging package Log4j comes as a reminder that cybersecurity teams must remain diligent in keeping up with cyber threats. Otherwise, they could end up costing their organizations millions in remediation and punitive fines.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the commission said. It’s the first time the FTC has issued such a warning, indicating the commission may get more aggressive in holding companies accountable for breaches that harm consumers.
In the case of Log4j, exploitation of the vulnerability could result in a “loss or breach of personal information, financial loss, and other irreversible harms,” the FTC said. “Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.”
In its warning, the FTC invoked the Federal Trade Commission Act and the Gramm Leach Bliley Act in pointing out that companies have a “duty to take reasonable steps to mitigate known software vulnerabilities.”
The FTC cited the Equifax breach, which exposed the personal information of 147 million consumers in 2017. The company agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all 50 states.
Unusual Step
The National Law Review called the FTC’s action “an unusual but very strong message … that is prudent to follow.”
The FTC warning comes less than a month after the Log4j vulnerability was identified. The Cybersecurity and Infrastructure Security Agency (CISA) reacted quickly to the discovery, issuing a statement from Director Jen Easterly that “CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”
The UK’s National Cyber Security Centre has also urged organizations to take the necessary steps to find and fix the vulnerability in their systems. The severity of vulnerability cannot be understated. In addition to the government warnings, in the week following the vulnerability disclosure, cybercriminals and nation-state actors had launched more than 840,000 attacks exploiting Log4j.
Updated Skills
For organizations trying to keep up with the threat landscape, the FTC’s warning is a sobering reminder of the importance of maintaining a robust security posture. While it’s a challenge to address every attack vector, particularly the ubiquitous Log4j, organizations must ensure their cybersecurity team is well-trained and fully staffed so they have the resources and available time to proactively hunt for and address vulnerabilities as they are disclosed. Our 2021 Cybersecurity Workforce Study confirmed that patch management and risk assessment slip when cybersecurity teams are stretched thin.
Companies also need to ensure the skills of their cybersecurity team members are kept updated so they can proactively protect against vulnerabilities that, if exploited, can result in severe fines. In the case of Log4j, it’s a massive undertaking assessing what devices and applications contain this pervasive code and quickly fixing the vulnerability. Well-trained cybersecurity staff is more equipped to remediate issues quickly than a team that wasn’t set up for success.
Organizations can check if they are using Log4j software by consulting the CISA guidance at https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance. Among other steps, CISA recommends that companies using Log4j software update to the most current version.