From the Trenches: Remediating Widespread Apache Log4j FlawKroll's Jeff Macko Details Steps Needed to Safeguard Organizations Now and in the Future
Exploitable vulnerabilities in the widely used Apache Log4j logging software have left security teams scrambling to identify where the software is used in their environment as well as how to guard against it being exploited.
"What we've seen with Log4j through a lot of investigations that we're doing here at Kroll is that companies are impacted by this," says Jeff Macko, an associate managing director in the cyber risk practice at corporate investigations and risk consultancy Kroll, based in New York. "Some of them are aware of the issue, some of them aren't aware of the issue, and likely this issue is going to be persisting with us for many, many years."
In this video interview with Information Security Media Group, Macko discusses:
- Mitigation: Best practices for identifying and remediating Log4j in the enterprise;
- Vetting: Strategies for reviewing open- source and other software components;
- Frameworks: How regulatory proposals such as having a software bill of materials might eventually help, and what IT teams can do in the interim.
Macko is an associate managing director in the cyber risk practice of Kroll. With over 25 years of experience and several certifications in information technology and security, he leads a team of offensive security experts in North America.