...log4j - are you sick of it yet? How are those emergency change requests going?

Hi. I'm Jon Fedor and this is InCyber Regular, edition 26.

InCyber exists to help people secure their digital gemstones and belongings. We go hard in the paint on personal digital security but also talk security topics for small to medium businesses. Today's focus is more that business side.

But first a look at our mission to make your digital presence more secure than it was yesterday.

How do we measure this?

Goal One: inspire at least three people to use a password manager before the end of 2021.

Status on Goal One:

We've got three confirmed for starting to use a password manager! This is huge. I feel like my heart's grown three sizes too big. You're breakin' the meter here, all.

Big next task is the goal for the first three months of 2022. What should we get ourselves to work on in Q1?

Think on that...

Today:

1. The 90s of course
2. More log4j / log4shell resources
3. Most helpful video of the week

The 90s

Some important crossovers happening with the 90s in the security world these past couple of weeks.

log4j

Many teams of people and concerned infrastructure, security, network, IT folks have battled it out with log4j over the past two weeks. It's been a long battle. You may be tired of talking about asset management, GRC, security policy, and much more.

I won't make this long but I do want to highlight a few helpful resources.

FIRST, knowing all the vendors and third-parties orbiting around your organization and sitting in your network is in fact a key piece of effective response.

Here's a list of common software / service / hardware vendors and the security alerts / patching information that they've released for your reference.

This is a fantastic reference and a community project updated regularly. There are links associated with each entry for more information about treating the vulnerabilities in each system. Just CTRL+F search your vendors on the page.

If you aren't already, checking for KB and patching information from vendors may become a daily habit (maybe it should anyway...?).

How original...bad actors gaining access and installing cryptocurrency mining infrastructure.

SECOND, here's a great resource from Mac Hertz talking about lessons learned from the log4j exploit and cascading affects.

I always enjoy a good Mac Hertz Cybersecurity 101 video. He keeps them short, informative, and quirky. Enjoy!

THIRD, watch out for some of the biggest vendors, like Microsoft. They're quietly updating all sorts of their resources in the background without large public exposure. Here's a link to a good tweet thread on this with more information.

FOURTH, Rohit (sec_r0) has been publishing awesome illustrated zines on various security topics throughout the past 12-18 months. They're great! And he recently did one on log4j. Definitely check it out and learn some more about the exploit and vulnerabilities.

Most helpful video of the week

One of my favorite authors and business people is Chris Voss. He wrote the legendary book, Never Split the Difference.

This guy's the truth. Former lead international FBI hostage negotiator-turned-business-negotation-demigod. The first 10 pages of his book taught me more than most entire books do.

I used Never Split the Difference material to negotiate a 35% raise last year.

Crazy stuff.

Anyway, he's done a couple of interviews with Lewis Howes over the years and Lewis put together a supercut of these interviews. This stuff is like drugs for me. And sleepy ones. Speedy ones.

Hope you find it helpful too!

Thanks!

Hope your week is dope and productive (or just straight up fun if you took this week off)!

Let me know what goal we should all work on in Q1 of 2022. Let's keep building this InCyber community! I'd be glad to hear your ideas.

Have a good'un, Good Lookin'.

~ Jon "Hail Voss" Fedor