Log4j could generate new business for AV – rAVe [PUBS]



In late December, a worldwide ubiquitous software flaw was reported that caused a frenzy among cybersecurity professionals and made the hair of tech professionals gray. There are countless articles on this vulnerability, so I won’t go deep into the tech of what’s going on. Here is what is important for us in the AV world to know: Log4j.

Log4j is a piece of Java code that programmers paste into software in order to record the commands issued, and they can use this information to troubleshoot. The problem is that Log4j is ready to execute any code given to it and can be forced to execute the command by a specifically configured URL sent to it. The Log4j vulnerability is considered by many to be one of the most severe vulnerabilities they have ever seen. There is no exact estimate, but it is assumed to be used in millions of products around the world. Moreover, exploiting the vulnerability is actually quite easy. A simple Google search will help even non-hackers around the world to expand the channel to execute malicious code.

AV (which as we all know is a subset of the computer industry) has come a long way over the past couple of years in security thinking. About five years ago, many took the position that if something is just AV, why would anyone want to hack it? In today’s environment, it’s different – businesses see it differently. When the above vulnerability made the news, our AV team was invited to the Incident Response team to assess whether our equipment was susceptible to this vulnerability. This has brought about a big change in the way AV is viewed by the biggest umbrella, IT.

Unfortunately, we weren’t able to help right away because while researching various manufacturers that we use, they didn’t provide any information whatsoever on whether their products had any vulnerabilities. The more I searched for this, the more I became amazed at the complete lack of information provided by the manufacturers. After searching through the dozen or so manufacturers connected to our network, I only found two (that was still the case at the end of December as I write this) that listed anything on their websites about by Log4j. Honestly, it is inexcusable. Even if a manufacturer knows there is no problem (they have never used Log4j), they should publish this information.

I have some recommendations for manufacturers / developers and for an integration company. Each manufacturer / developer should immediately develop an area on their website dedicated to security. They should also hire or assign someone in the company to be the person responsible for security communications. This person would be responsible for sharing security information with customers. The website should include any information about potential security holes, suggestions for keeping their equipment safe, and links to firmware updates or fixes. Manufacturers should see themselves as part of the IT world, and when there are issues like Log4j, they should respond to them, even if they are not affected.

For other entities, like reporters, integrators or others, there is a huge business opportunity there. Even though the manufacturers start with what I suggested above, there are still hundreds of websites that people must visit. What if an entity becomes the AV security resource? Surprisingly, the best resource AV pros had with this Log4j violation was a channel on reddit! Why isn’t there a service we can subscribe to that allows us to review all the different companies and their responses to breaches in one place?

In addition to providing information to customers on various equipment, such a service would also put pressure on audiovisual companies to take security seriously. They wouldn’t want to be the only ones listed as having no information available. In addition to information on potentially vulnerable equipment, this service could provide general information on security breaches, likely attack method, potential risks for different industries, and mediation tactics. All of this could be done for an annual subscription.

When you develop a valuable resource for the community and lucrative for your business, which it would be, you surely have a winning product.



Comments are closed.