Third-party risk, Regulation

Log4j vulnerabilities test the security posture of US financial industry

The New York Stock Exchange stands in lower Manhattan on April 15, 2021, in New York City. (Photo by Spencer Platt/Getty Images)

The recent Log4j vulnerability tests the security protocols of financial organizations in a way that the sector has not experienced in some time, exposing potential vulnerabilities both within their own networks as well as across the supply chain.

Recently, SC Media published discussions with top banking executives at Texas Capital Bank and Finance of America, as well as cybersecurity vendor Cybereason. Many financial service institutions (FSIs) recognize the long term implications of the Log4j vulnerabilities, and the complexity of mitigating the threat.

Gary McAlum, currently on the board of directors for TAG Cyber Group and a former longtime chief information security officer (CISO) for USAA, pointed out that like the SolarWinds hack of a year ago Log4j is “ubiquitous... it impacts everybody in some form or fashion, especially since open source is so commonly used.”

“For the financial sector, it’s a particularly serious issue,” McAlum said. “And I wouldn’t say there’s room for over-confidence.” FSIs of all sizes should be implementing an incident response program to mitigate the potential impact of Log4j, keeping in mind that this cyber event could have ripple effects through third- fourth and fifth-party providers. “There is an environment of overlapping controls... which means that [IT security professionals] need to be methodical, and focus a lot of their attention here.”

“The hardest thing is to work through complex supply chains,” McAlum said, adding that financial regulators will also be calling on FSIs as they are going through this, seeking updates and looking to potential exposure and mitigating actions.

“The financial sector has responded well, quick and focused and understanding of the urgency of [Log4j]. Most of the time, when news like this hits, it’s not the first that FSIs are hearing about it,” he added. “They’re getting data from all sorts of sources about vulnerabilities.”

“By the time it’s hitting CNN, the wheels are already turning for most FSIs,” McAlum said.

Nick Santora, CEO of Curricula, an IT security awareness training service, pointed out that, “Log4j got a lot of attention, as this is the first time a vulnerability of this scale has been exposed. It’s the latest and greatest that impacts a lot of industries."

He added: “It’s another event that shows how unprepared most organizations are when an incident like Log4j happens.”

Santora, who previously spent a decade working for the U.S. federal government in critical infrastructure protection, pointed out that, “Log4j affected a lot of legacy industries that rely on Java."

“The majority of organizations impacted were on legacy systems. This includes financial services, the energy sector, transportation — all categorized as critical infrastructure by CISA,” Santora said. “The ironic thing is when a patch was introduced for Log4j, it exposed another vulnerability. If you’re running a complex system, you can’t just throw a patch on like a Band-Aid, and you can’t turn the system off like you’re rebooting a machine.”

So, what is a financial institution to do in the face of this kind of overwhelming cyber threat?

“You need to have a planned maintenance process which includes analyzing the impacted systems, testing them in a non-production environment, then planning for an outage to roll out the patch. And if it all doesn’t go as planned, a way to roll it all back,” Santora said. “So when something like Log4j happens, most companies don’t have a plan on what to do. They have to turn off the service they’re providing to make sure they can patch it properly. This isn’t easy for legacy systems that are mission-critical and foundational for the organization.”

Santora admitted that since critical infrastructure is not under one single compliance framework when it comes to the patch management process, formal incident response and patch management processes can be more complicated for FSIs.

“Log4j is spread across an array of industries and some were not regulated for patch management and have never had to deal with something on this scale to turn off all of their systems to update it and fix the vulnerability,” Santora said, adding that incidents like Log4j underscore the need for FSIs to have incident response plans that take such events into account.

“Building a community of trust among your vendors will be taken more seriously now because you want to know your software providers are doing the right things for cybersecurity. Cross contaminating amongst the community is a real problem,” Santora said. “We have to build trust in the private sector that we’re all doing the right thing."

prestitial ad