Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

By now, you already know of — and are probably in the midst of remediating — the vulnerability that has come to be known as Log4Shell and identified as CVE-2021-44228. This is the vulnerability which security researchers disclosed on Friday (10 December 2021) for Apache’s Log4j logging framework. In this article, we’ll explore a few key Log4j facts as well as actions you can take to protect yourself and your company.

COVID-19 made moving agency employees and services off-premises essential. This move, however, has also sparked one of the biggest waves of cybercrime the internet has ever seen. Ransomware attacks have been particularly effective against government agencies and critical infrastructure.

CVE-2021-44228 (Log4Shell or LogJam) is a recently discovered zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library. It was reported by the Alibaba Cloud Security team as an unauthenticated RCE vulnerability in Log4j 2.0-beta9 up to 2.14.1 and could allow a complete system takeover on vulnerable systems. The bug has received the maximum CVSS score of 10, reflecting its importance and ease of exploitation.

Cybersecurity is such a broad subject that many times, an organization can become stifled when trying to develop a full cybersecurity program. Some organizations that have already put a cybersecurity program in place can also unpleasantly discover gaps in their efforts, making the entire venture seem moot. One way to effectively get started, as well as to prevent gaps, is to build a good foundation upon which a cybersecurity program can grow and mature.

The Department of Defense (DoD) has recently released new CMMC 2.0 audit and assessment scoping guides. The awaited CMMC 2.0 Level 1 and Level 2 scoping guides provide insight into how a certified CMMC third-party assessor organization (C3PAO) may scope the CMMC audit and how businesses can potentially scope their own environments. These scoping guides are critical for the CMMC audit and boundary diagrams developed as part of your business’s System Security Plan (SSP).

Aaron McCray, Ignyte’s Chief Operating Officer, is giving a brief overview of the changes to CMMC 2.0, and more specifically its Practice levels vs Maturity levels in the video below. Aaron is a commercial risk management leader by trade and a Commander in the U.S. Navy Reserves.

Today we are going to discuss controls in the context of any variation of the NIST 800-53 and NIST 800-171 requirements. NIST SP 800-53 provides us with a fundamental understanding of how government and many commercial organizations structure control language.