At Resilience, it is a core part of our culture to avoid marketing FUD (fear, uncertainty, doubt). But it is with no hyperbole that we say the Log4Shell vulnerability is one of the worst that we have observed in our professional careers and warrants the global attention it’s getting. Indeed, there is evidence that it has already been leveraged by some ransomware and nation-state aligned cyber actors as the cyber defense community rushes to put out the most critical fires.
What to know
This vulnerability does not depend on human interaction. Many of the core services that run on what we know as the internet were likely affected by this vulnerability and, if unpatched, could be sent a simple string of code that could trick them into conducting malicious actions without the need for a human in the loop. This means no one clicking on suspicious links, no accidentally lost laptops. Log4Shell is a quiet killer. Gizmodo has a great breakdown if you are looking for the “plain-English” technical explanation.
What we did
When the Security team at Resilience learned of this vulnerability, they immediately understood the gravity of the situation. On Friday we took immediate action to protect our insured clients. Through our monitoring and threat notification system, we were able to alert our clients and brokers of critical guidance on how to take action to mitigate the threat. This type of proactive effort is uncommon in the cyber insurance industry, but core to our insure+secure model and standard practice with all major vulnerabilities since our launch December 2020, including ProxyShell, PrintNightmare, and the Hafnium vulnerabilities, to name just a few.
Since the Log4Shell vulnerability became public on Friday, our Security team has worked tirelessly to protect our insured by:
- Analyzing hundreds of thousands of external scans on our insured’s public-facing infrastructure to determine if any insureds utilized any affected services that we would expect to be targeted.
- Working to identify open and impacted ports, then compared versions to understand whether the vulnerability existed.
- Deploying a regularly updated best practice page and sending targeted outreach to our insureds on this vulnerability.
This week’s events exhibited the core value of Resilience: that a security team working hand-in-hand with the insurance team better protects our clients. If we can see something, it is likely a ransomware gang, nation-state actor, or cybercriminal can see something too. Fast and informed action is critical.
If you are concerned about your organization’s exposure or interested in learning more about our insure+secure model, please reach out at email@example.com.
About the Authors
Head of Risk and Response
Amy Chang is head of risk and response at Resilience. Prior to joining Resilience in 2021, Chang served in numerous leadership roles in the Global Cybersecurity Organization at JPMorgan Chase, protecting the firm and its employees from cyber threats. Chang was an affiliate with Harvard’s Belfer Center Cyber Security Project and has over a decade of experience in cybersecurity, policymaking, and strategy both in and out of government. She served in the U.S. Navy as an intelligence officer. Chang holds a master’s in public policy from Harvard University Kennedy School of Government and a bachelor’s from Brown University.
Co-Founder and Vice President of Policy
Davis Hake is the co-founder and vice president of policy at Resilience. Prior to co-founding Resilience in 2017, Hake managed cybersecurity strategy for Palo Alto Networks, served on the National Security Council, and was a lead author of cybersecurity legislation in the U.S. Congress. Hake is an adjunct professor of risk management at the University of California, Berkeley, and is a term member of the Council on Foreign Relations. He holds a master’s in strategic security studies from the National Defense University and a bachelor’s in international relations and economics from the University of California, Davis.