The Apache Log4j security vulnerability uncovered recently is every cybersecurity defender’s nightmare - a zero-day exploited in a practically ubiquitous software library. Because zero-day exploits aren’t going away anytime soon, it’s important for organizations to increase their resilience to this type of change in the risk landscape.
Organizations that are going to fare best in this regard are those that have:
- A strong level of awareness of the assets in their risk landscape (in this case, systems using Apache)
- A timely source of threat intelligence
- Defense-in-depth — particularly for systems that are directly exposed to the Internet (e.g., web application firewalls), and
- The means to quickly detect and respond to abnormal/illicit activity on key points of attack/assets
Of course, this is easy to say but not necessarily easy to implement and operationalize when it can seem like everything is a priority.
One of the key benefits from leveraging FAIR™ is an improved ability to differentiate the things that matter most from those that matter less. Importantly, it also provides the means to “show your homework” to anyone who might question your choices.
Jack Jones is Chairman of the FAIR Institute and the creator of the FAIR standard for cyber and technology risk quantification and FAIR-CAM™, the FAIR Controls Analytics Model™ for quantifying the effect of cybersecurity controls on risk reduction.
I’d also recommend taking the advice of Tony Martin-Vegue, Chair of the FAIR Institute San Francisco Bay Area Chapter: Create a forward-looking risk register to get ahead of the next “vulnerability du jour,” as he laughingly calls exploits that make the news cycle and attract the attention of the C-suite. Tony’s advice in a blog post:
“Keep it high-level and focused on how the company can prepare for resiliency rather than a specific vector or method of attack.” A generalized risk statement for a GRC “provides a starting point to future-proof your risk register to similar attacks we will see in the future.” Example:
Attacker infiltrates and compromises a software vendor's source code and/or build and update process, leading to company security incidents (e.g., malware distribution, unauthorized data access, unauthorized system access.)
FAIR training through the FAIR Institute - learn quantitative risk analysis from the most experienced practitioners.
“Communicating hypothetical, speculative, or rare risks is hard to do without scaring people…The key to success is risk quantification: risk articulated in numbers, not colors…All risk, because it’s forward-looking, is filled with uncertainty. Unique and exotic risks have even more uncertainty. Choose a risk model that can communicate both the analyst’s uncertainty and the wide range of possibilities. I use FAIR.”
Be aware of risk blindness
“Every good risk analyst knows the difference between risks that are possible and those that are probable. It’s the risk analyst’s job to rein in people when the risk brainstorming veers to outlandish scenarios. But don’t rein them in too much! Any risk, no matter how routine, was unique and a surprise to someone once upon a time…Try to put yourself in this mindset as you hold emerging risk workshops.”