The National Cyber Security Centre (NCSC) has reminded boards of their role in mitigating cyber risk in their organisations, publishing a blog just before Christmas on a critical new vulnerability impacting a wide range of companies. In their blog the NCSC set out a list of questions boards should be asking their IT teams in relation to this new risk.

How concerned should boards be?

The NCSC blog explains that the Log4j issue has the potential to cause severe impact to many organisations. The critical vulnerability, which the NCSC says is ‘potentially the most severe computer vulnerability in years’ does not relate to a single piece of software, but rather to the widely used log4j logging tool – a software component used by millions of computers worldwide running online services. Initial reports suggest attackers will use the vulnerability to launch new remote control malware and ransomware attacks. As a result, organisations need to act now to identify which of the services they use include the Log4j component, and whether any of these are vulnerable.

10 Questions for the board to ask

The blog provides advice for board members of medium and large organisations, recognising that senior managers will need to work with their technical teams to understand their organisation’s exposure and take appropriate action to mitigate the risk. It suggests a set of 10 questions for the board to ask their IT teams. These range from basic incident response questions such as ‘who is leading our response’, ‘what is our plan’ and ‘when did we last check our business continuity plans’ to more specific / technical points. The latter include:

  • Does anyone in our organisation develop Java code: Log4j is frequently used in enterprise Java software.
  • How are we addressing shadow IT/appliances: it can be more difficult to mitigate risks when the IT used is not a corporately managed asset – increased working from home as a result of the pandemic has increased the risk of shadow IT being used.
  • Do we know if key providers are affected and are they monitoring and mitigating this risk (for example, have available patches been applied): supply chain is a key risk to consider in any cyber mitigation plans, and the response to Log4j is no different. The NCSC suggests engaging with key suppliers, particularly those with remote admin access to your systems.

A full list of the questions can be found in the blog and is set out below. More general information on the Log4j threat can be found in the NCSC’s publications Log4j vulnerability – what everyone needs to know.

Comment

It is interesting that the blog addresses boards directly. The government, and NCSC, have for some time emphasised both the critical nature of the UK's cyber threat and that organisations should treat cyber risk as a board level issue. However, the NCSC is backing up this expectation with guidance for boards - both short blogs such as this one, and with its boardroom toolkit (which is currently in the process of being updated - see my blog from last year). While some of this guidance may be on the slightly obvious side, other aspects highlight the NCSC's expectation that boards understand some of the more technical issues facing their organisations. 

NCSC questions for boards regarding the Log4j threat:

  1. "Who is leading on our response? Log4shell is a critical incident that justifies a ‘tiger team’ of staff to address it. There should be a designated person leading the organisation’s response.
  2. What is our plan? Currently, most organisations will be responding to software found to be vulnerable, or to cyber attacks. There will likely be a migration to a more methodical approach which first identifies how the organisation is affected and then rectifies any problems found. Large organisations and enterprises will need a phased approach to manage this issue over many weeks or months, with teams able to sustain a response over the medium term.
  3. How will we know if we're being attacked and can we respond? Whilst lots of researchers are trying to detect issues on the internet, attackers are also working to exploit the vulnerability. Would your teams know if your organisation was being targeted, and be ready for an at-scale response?
  4. What percentage visibility of our software/servers do we have? Teams are hopefully trying to find instances of software, and of Log4j itself. This task will be easier on corporately-managed assets, but less so on unmanaged assets
  5. How are we addressing shadow IT/appliances? As well as fixing corporately-managed assets, teams need to be thinking about how they will discover things that may have slipped through the net and are not centrally managed (often called ‘shadow IT’).
  6. Do we know if key providers are covering themselves? If your organisation is dependent on any particularly key suppliers (such as crucial software that runs your business, or a 3rd party with remote admin access to your organisation), you should have an open and honest conversation with them, acknowledging that they will also be trying to understand the severity of the issue.
  7. Does anyone in our organisation develop Java code? What is their plan for finding out if we are affected? Larger organisations may be producing Java code for internal use or as products (Log4j is frequently used in enterprise Java software). Java developers may have legitimately used Log4j, so it’s important to ensure that any software written is not vulnerable.
  8. How will people report issues they find to us? Many cyber security researchers are trying to detect vulnerable software. If they find something on your estate, can they contact you easily (for example, via a vulnerability disclosure process)?
  9. When did we last check our business continuity plans (BCP) and crisis response? Verify your organisation’s end-to-end BCP and crisis response processes to minimise real world impact to the organisation should an attack be successful.
  10. How are we preventing teams from burning out? Remediating this issue is likely to take weeks, or months for larger organisations. The combination of an ever evolving situation (and the potential for severe impacts) can lead to burnout in defenders, if they’re not supported by leadership."