1 Executive Summary
The software that supports today's organizations is large and complex comprising many interrelated components that come from different sources. This makes sense because it is more efficient to reuse rather than to recreate common, regularly used functions every time they are needed. Some of these components may come from software vendors, some may be part of standard infrastructure like operating systems and libraries, and some may be from Open Source. Whatever their source, all these components may contain hidden vulnerabilities. The challenge for organizations is how to best respond when one of these vulnerabilities is discovered.
A recent example of this is Log4shell which is a critical vulnerability that was discovered in the logging tool Log4j, which is widely used across the world. Cyber adversaries exploit these kinds of vulnerabilities to attack organizations using ransomware, to steal intellectual property and personal data, as well as to fraudulently obtain money and payments.
This leadership brief describes the steps an organization needs to take to respond to newly discovered critical software vulnerabilities.