Community IT has been getting a lot of questions and concerns about the recent discovery of the log4J vulnerability which exists in many applications. You may be wondering what steps you can take to avoid a compromise on your devices, and for your nonprofit organization. Here are some log4j tips for nonprofits: we advise you to do all your updates on all your devices now, and be vigilant keeping internal systems secure from outsiders.
What is Log4J?
Log4j is a chunk of code that helps software track past activities. Instead of using new code to tell an application or program what to do in each new instance, coders can use log4j commands to tell the app to “redo” something it did in the past. This simplifies code for repetitive tasks. Log4j is used in a wide variety of apps and programs on a wide variety of devices.
Each time log4j is asked to record a new “log,” it tries to make sense of the new action and add it to its record of completed tasks. In December, on a Minecraft forum of all places, users realized that if the log4j is asked to add malicious code to the log, it will try to execute that code, and replicate that code in the process. Because log4j is used in so much code on so many apps, this is one of the biggest security vulnerabilities discovered in decades. It is also very straightforward to use, so the barrier to hacking using this vulnerability is very low – leading to fears of widespread attacks from less sophisticated malicious actors around the world.
How Does the Log4j Vulnerability Affect Nonprofits?
Log4j is affecting everyone. Happily, when the vulnerability was first discussed online, it quickly became apparent that although log4j could have been exploited for years, it was not being used until recently. Cybersecurity experts initially observed basic attacks using this vulnerability, although it does appear that more sophisticated attacks are being developed.
Log4j gives ransomware attacks a new avenue to infiltrate systems and shut them down for ransom. Since many nonprofits, just like public agencies and small businesses, are vulnerable to ransomware demands, nonprofits should be vigilant in installing authentic security updates as soon as they are released in order to protect crucial systems from ransomware attacks.
Because not every company and nonprofit will realize the severity of the risk and update their systems and devices promptly, log4j will continue to be a threat. If your nonprofit is working with an MSP or has an in-house IT department, you will already have heard about the steps to take to protect your IT security.
If you are a smaller nonprofit without a dedicated IT support team, you must check your apps and devices yourself for authentic security updates. Don’t be afraid to ask questions and be sure you understand the risks and procedures you should follow with any IT issue.
Log4j Tips for Nonprofits
What can you do?
Pay attention to application update notifications from your software vendors and install them promptly, as this vulnerability exists in many different applications. For the most part, consumers have to wait for companies and security services to fix this vulnerability. Developers will be sending out updates regularly as new weaknesses are discovered.
Install any security updates. If you are not sure how to do this, ask. On most devices, you will receive an internal prompt when a new update is available. This prompt may come when you log in, or be under “notices” or “updates.” This prompt will not usually be sent in an email.
Do a full reboot at least once a month every month. To do this, power down your laptop and devices completely, then power them back on. Many people like to do this nightly as it helps improve performance.
Review your inventory of devices. Because so many items are now “smart” devices, think about auxiliary items like copiers, routers, security cameras, TVs, even coffee makers or vacuum cleaners that are connected to the internet should be completely rebooted by turning them all the way off then turning back on.
Hackers trying to use log4j to access your systems need … access. Organizations need to be vigilant about blocking public access to internal systems, and patch systems as soon as patches are available.
Although log4j attacks are largely driven by external scans that expose vulnerability, you should also be vigilant about phishing emails. If you haven’t conducted organization-wide cybersecurity training on detecting suspicious emails, and what steps to take to report phishing, make plans to hold that training as soon as possible. We recommend knowbe4.com but there are many security training apps available at low or no cost to nonprofits that can help you ensure your employees, from front desk to Executive Director, know what to do with suspicious email. It is crucial that your employees feel confident in reporting suspicious email even after they have clicked on a link.
Typical phishing emails will look legit. When you get an email that says your account has been compromised, an email was not delivered, a package needs to be authorized, etc. – check the email address carefully for small misspellings, and do not click any links or open any attachments. If the email seems to come from a legitimate contact, reach out to them separately – via website or a new email – to address the problem.
Any system that requires logging in should be set up with strong, unique passwords, and should require Multi-Factor Authentication (MFA). January is a good time to review your passwords and account access. Each system you access should have a strong and unique password. Commercial password organizers like Lastpass or 1password can generate new secure passwords and manage them for you. Google and Apple have built-in password managers, too.
For more tips for consumers, the Washington Post published an easy-to-follow guide to log4j concerns here.
Ready to start the new year with strong cybersecurity in place and reduce your nonprofit cybersecurity risk?
Stay up to date on cybersecurity risks such as ransomware, and plan IT support for your entire workforce in-office and remote with our resources.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether through a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure.
We published our completely revised 2021 Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues.
We ensure you get the highest value possible by bringing 20 years of expertise in exclusively serving nonprofits to bear in your environment.
We regularly present webinars at Community IT about cybersecurity issues. And you can contact Matt Eshleman, our CTO and nonprofit cybersecurity expert, for an assessment and more log4j tips for nonprofits.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.