On February 22, 2022, Aaron Shilts was featured in a Twin Cities Business article titled, The Malware Pandemic. Preview the article below, or read the full article online here.

+ + +

In the information technology world, Log4j could become the equivalent of a particularly virulent Covid variant—and for businesses, a potentially bigger danger.

Log4j is an open-source, Java-based utility that logs error messages in software applications. In early December, a cybersecurity staffer with the Alibaba Cloud service in China discovered a vulnerability—a flaw—in Log4j that could open millions of businesses and other organizations to cyberattacks. A second flaw was found shortly afterward.

Compared to a data breach releasing sensitive information of millions of retail customers, the dangers of Log4j’s flaws are harder for non-IT people to understand. But as a cybersecurity threat, Log4j could become a disaster of pandemic proportions. That’s because innumerable organizations have the utility in their IT networks—and many don’t even know it’s there. Log4j could allow cybercrooks worldwide to steal data, encrypt servers, shut down factory floors, deceive companies into wiring them money, and demand thousands, even millions, of dollars in ransom.

Lurking in the shadows

Every software program inevitably and unavoidably has vulnerabilities. Over time, most bugs get fixed. But as in the case of Log4j, a tiny flaw in a widely used software component can explode throughout networks worldwide.

A flaw could be something that isn’t visible, notes Aaron Shilts, CEO of Minneapolis-based cybersecurity firm NetSPI, which specializes in network penetration testing and “attack surface management” for its business clients. More than 50 percent of NetSPI’s work involves testing applications—which Shilts terms “the lifeblood of any enterprise” —for vulnerabilities.