Skip Ribbon Commands
Skip to main content
Dec 20
URGENT: New Security Hole Threatens Computer Networks

network-g85ace14dc_640.jpg

The federal government is warning that a newly-discovered computer software vulnerability poses a major threat to the security of computer networks. We urge all members to address this threat immediately with either their internal information technology staffs or with qualified technology consultants.

Federal government agencies, including the National Security Agency and the Department of Homeland Security announced the discovery of the vulnerability on Dec. 10. Here is what you need to know:

The vulnerability lies in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation​. The Apache Software Foundation is not a company; it is a volunteer community of hundreds of thousands of people who build "open source" software products that are free for organizations to use and are constantly being modified by the community. Think of it as content in the public domain that anyone with an interest can modify (Wikipedia is an example of this.) Open source software created by volunteers is very common in the technology industry. For example, the Linux operating system has always been developed and maintained this way.

The Log4j software library records network security and performance information. Many software vendors incorporate the library into their products such as websites, applications and application services. It is quite likely that some of the software your staffs use every day is built around Log4j. 

The government agencies announced on Dec. 10 that they were "responding to active, widespread exploitation" of the vulnerability. They warned that, "An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.​" (emphasis added) In short, if your software has this vulnerability, a criminal could seize control of your network and cripple your ability to do business.

Since Dec. 10, Apache has published three software patches to address the problem. Software developers who use Log4j are likely applying the patches and making updates to their software available to users like you. If you are notified that a software update is available, it is probably a response to this threat and you should install the update promptly.

The New York State Department of Financial Services (DFS) advised on Dec. 17 that "All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk." Translation: Find out how big a threat this is to your operation, customers and vendors, and do something about it. If your agency is large enough to have dedicated IT staff, this should be their focus today. Most of you are not large enough to afford or need an IT department. In that case, you should contact a computer network consultant as soon as possible to get advice on how to proceed. Any qualified consultant will be very familiar with this problem.

While this alert came from the New York regulators, this is not a New York specific issue. All members in Connecticut should take similar actions, even those who are exempt from the Connecticut Insurance Data Security Law​This is not a matter of a government mandate; this is a threat that could stop you from doing business.

The goverment agencies have technical information on this threat available on a dedicated website. Much of this information will not be clear to you, but it will be to your IT experts. We encourage you to direct them to that site, take appropriate actions as soon as possible, and monitor the site for further updates to the situation. 

Lastly, if you are a New York agency or brokerage and you determine that someone has used this vulnerability to break into your network, the Cybersecurity Requirements For Financial Services Companies​ regulation requires you to report that to DFS within 72 hours of your determining that it has "a reasonable likelihood of materially harming any material part" of your normal operations. You can do so on the portal on the DFS website.

If you are a Connecticut agency or brokerage who has made the same determination, and you are subject to the state Insurance Data Security Law, you must notify the state Department of Insurance within three business days if you believe consumer information has been exposed, or if you believe it will affect more than 250 state residents and must be reported to the federal or state governments. The DOI has created a form that must be completed and emailed back to them if this happens.

Under current law, Connecticut agencies with fewer than 20 employees (including independent contractors) "having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control​" are exempt from the law. That number drops to 10 on Oct. 1, 2022. 

Comments

There are no comments for this post.

 ‭(Hidden)‬ Blog Tools