Dear Sir or Madam,

 

As always, cybersecurity does not slow down during the holiday season! This month, we'll be talking about the Log4j vulnerability—and what you need to know. We'll also cover:

• The cyberattack that may affect your paycheck
• Cybersecurity trends for 2022
• Which software to update today
• And much more

We wish you all a happy and healthy holiday season!

Log4j Vulnerability: What You Need to Know About the Flaw Taking Over the Internet

A critical flaw was discovered in software used widely across the Internet. Log4j is a software developed by Apache Software Foundation that allows networks, websites, and applications to collect information. It is said to be one of the web's most widely used tools.

The recently exposed flaw allows hackers to steal data, install malware, and take control of devices and networks by remotely executing code on a target's computer. Some experts worry that the security vulnerability could lead to widespread ransomware attacks.   And the beginning signs of these  attacks have been spotted by some.

Security experts are calling the Log4j vulnerability one of the most serious flaws they have seen in their careers. The cybersecurity firm Check Point reported that over 100 Log4j hacking attempts are occurring every minute. Microsoft says that nation-state hackers from China, Iran, and other countries are exploiting the flaw.

Companies such as Apple, Amazon, Microsoft, Twitter, and Minecraft are affected by Log4j—among many others. Experts estimate that millions of servers are at risk. Apache Software has released a patch for the flaw—and many technology companies have already released their own updates.

What does this mean for you? 

While companies and organizations--rather than individuals-are the real targets of this hack, there are actions you can take to protect yourself. First, update all of your devices when you are notified. These updates may contain fixes for the Log4j vulnerability.

You should also be on the lookout for ransomware attacks. Whether reading texts or emails, exercise caution. Remember the acronym EMAIL:  Examine Messages And Inspect Links! When in doubt, don't click and delete the message.

Cybersecurity Shorts

Cybersecurity attack halted Maryland’s Health Department from publishing COVID-19 data. The Maryland Health Department has not published data on COVID-19 case rates for 9+ days as they recover from a “network security incident,” they recently announced. However, while the Health Department figures out the issue, they will still be releasing data on vaccinations and hospitalizations, among other virus-related information. Read more about the cyberattack here.

New cybersecurity rules placed on reporting requirements for banks. Recently, the Federal Reserve System’s Board of Governors, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have approved a final rule that will enforce reporting requirements on banks and banking service providers. Banks now must report all cybersecurity incidents within 36 hours to federal regulators. This new rule follows a current trend requiring critical infrastructures to report cybersecurity incidents.

Kronos attack may affect how employees issue paychecks and track paid time off. One of the largest human resources companies may now have to adjust how employees get paid and track their paid time off. The Ultimate Kronos Group (Kronos) announced that it suffered a ransomware attack that could potentially keep its systems offline for weeks. Kronos spokesperson said that the attack has only affected customers that use a particular product called the Kronos Private Cloud. Read more about the attack and how it can affect employees here.

Financial advisors should be taking cybersecurity more seriously. Experts warn that financial advisors may want to consider cybersecurity as a critical issue on more than one level. While protecting client data is a priority, if you focus on healthcare or energy and manufacturing, you may need to heighten your cybersecurity efforts.  Here’s why.

U.S. imposes first cybersecurity rules for rail transit. Recently, the federal government announced two new cybersecurity mandates for “higher-risk” railroad and train transit systems. Despite efforts to beat back regulations, crucial passenger and freight railways are now required to follow a list of actions outlined in the new security measures.

CISA and NSA release expectations for working in 5G environments. This four-part series focuses on preventing and detecting unauthorized movement across networks. This third installment to focus on data protection also goes into detail on actions users of cloud-based 5G systems – as well as the cloud service providers and mobile operators – should take to protect data at rest. Learn more about it here.

With the holidays comes an increased risk of cyberattacks. With e-commerce holiday sales slated to reach between $210 and $218 billion this season, it is wise to practice some extra caution. This holiday season, try these seven holiday cybersecurity tips to keep your information safe.

Data breaches and ransomware attacks dominated 2021. Throughout 2021, cyberattacks dominated headlines and caused massive disruptions for government agencies, major companies, and even supply chains for gas and meat products. These large-scale cyberattacks made it excruciatingly obvious that the days of minor ransomware attacks are long gone. Now, cybercriminals have set their sights on major businesses and companies that will pay a large amount of money to avoid being shut down.

Software updates

Adobe: Adobe has released patches for its programs such as Photoshop, Premiere Pro, Connect, and more to close over 60 security issues. You can learn more about the update here.

Google: Updates for Google Chrome were released this month. One is rated critical while three are consider severe. Your Chrome browser will alert you to update automatically with an "Update" button in the top corner. Be sure to update as soon as possible. And don't forget to update even if Chrome is not your primary browser.

Microsoft: In response to the Log4j vulnerability, Microsoft released patches for many of its programs. Many of the flaws are considered critical. Your device should prompt you to update automatically. You can learn more about the updates here.