January is named for Janus, the ancient Roman god with one face looking backward and the other face looking forward. For the ancient Romans, Janus was linked with gates and doors. There were ceremonial doors dedicated to Janus that were opened when the army left to fight and was closed when peace was restored. Later traditions evolved to include the early January practice of looking back on the past year and looking forward to the new year. Both are apt metaphors for securing your business. Looking backward is easy. The analysis involves historical facts. We have data of what happened and in hindsight can assess whether the decisions we made were correct or not. We can even determine that if we were faced with that same situation again, we would make a better decision the next time based on experience. Some things in life do repeat themselves, so there’s value in these exercises.
In both business and security, however, looking forward is even more valuable. But it’s also significantly more difficult. Rather than working with facts and data, you are working with estimates and predictions. What will customers want in the future? Will a new technology emerge that significantly changes market behavior? Will a new, previously unimagined threat emerge? Preparing for the unpredictable is tough. When it comes to securing your business against cyber threats, there are some steps you can take to make that easier. Many things that get labeled “unpredictable” are actually predictable with a bit of work. By studying threat trends, technology advancements, and other data, security researchers can reasonably predict how threats will evolve over the next year or two. For example, given the steady increase in computing power, researchers know that complex attacks that require the resources of a nation-state today will waterfall down to criminal organizations as computers get more powerful. While your business may not ever be a target of a foreign government, once a criminal organization has the same capabilities your business becomes a target. One trend every business needs to address is the proliferation of intelligent devices. Networked, infrastructure hardware such as servers, wireless access points, and switches are being augmented with printers, IP phones, security cameras, smart building technologies, and other devices. The more intelligent devices you have in your business, the more attack surfaces you have. The recent Log4Shell exploit is an example of this dilemma. Log4J is open-source software that is used by product developers to implement performance and security logging in their products. It’s used widely in the industry in both consumer and enterprise devices. Many of the devices in your business use Log4J, including security devices. The Log4Shell exploit allows an attacker to compromise a device running Log4J, and then launch attacks from there to the rest of your network. This exploit became widely known in early December 2021, and now there is race between security experts trying to find and patch impacted systems and criminals trying to find unpatched devices and exploit the vulnerability before it is closed.
Here’s what the Federal Trade Commission said about Log4J: The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.
Looking backward, a company would determine it needs to check for Log4J software on all devices on the network and ensure they are patched. Looking forward, a company would ask, “What other software services are widely used like Log4J such that a single vulnerability could impact many devices from different suppliers? And what can we do now to prepare for that?” As the FTC stated, there are thousands of these open-source software packages being used in almost every device on the market. Think of how many different devices are on your network. How many different vendors are there? Each device has a different firmware that would need to be updated and a different process for obtaining and updating that firmware. A forward-looking business would ask, “How can we create a procedure so that when a vulnerability like this is discovered, we can quickly assess the impact on our infrastructure and efficiently patch all the various devices that are impacted while keeping the business running?” Chances are, you don’t spend a lot of time talking with security researchers. You’re likely too busy running your company and enjoying your personal life (and even if you had the spare time, that’s probably not where you’d choose to spend it!). We’ve got a solution for you.
If you’re committed to a forward-looking approach to securing your business, these webinars will be a great resource to help get started. In 2022, Clare Computer Solutions will be hosting a series of webinars on security threats, trends, and solutions. This will be designed to help you not only understand what new threats to your business are looming on the horizon, but also educate you on the steps you can take in 2022 to help protect your business against these threats. The first event will be on February 22. In this webinar, we’ll review the largest threat vectors in the market in 2021, and then using that data, share with you the types of threats to expect in 2022. Later webinars will then share specific solutions that can be implemented to protect your business against these and other threats.