Log4j vulnerability: ‘It’s all-out warfare right now’ to combat cyberattacks, TrustedSec CEO says

TrustedSec CEO David Kennedy joins Yahoo Finance Live to explain the Log4j cybersecurity flaw, how agencies are combatting hacking attempts, and how long this vulnerability is expected to last.

Video Transcript

- Log4j, now listen to this again, Log4j, might be just one of the biggest corporate cyber threats that you've never heard of. And our next guest is predicting that there will be massive breaches all over from this, also that they are already happening. We want to introduce them before we get you too scared, David Kennedy, CEO of TrustedSec.

And David, you are a former NSA hacker for and also for the Marine Corps so you know your stuff. I personally had not heard of this until hours ago. So can you let us know what the danger lies in here.

DAVID KENNEDY: Yeah, I think the reason why people struggle with kind of understanding what this is or even hearing about it is because it's so complex. Think of this as code that's embedded in thousands, if not hundreds of thousands of pieces of devices, software, hardware, you name it. It's embedded in almost every aspect of the technology that we use. And there is a recent flaw that was discovered about two weeks ago that allows attackers to essentially open the doors to any of these products and fully hack it.

We've already seen ransomware groups targeting organizations and holding them ransom because of this flaw. Just today, the Belgium defense ministry was hacked and shut down directly because of this flaw. It's all out war for right now right around the holiday time frames with this specific vulnerability and it's extremely complex to fix.

It's not as simple, hey, you know, you update your phone or update your computer. This is embedded in applications that are deep, deep, deep, into the coding. It's unfortunately going to be one of the worst ones I think I've ever seen in my 25 years of being in the security industry.

- But David, exactly how vulnerable are we? And then are there particular industries or sectors that are seeing more threats or that are more vulnerable?

DAVID KENNEDY: This is kind of the Wild West at the moment. We're seeing know pretty much every industry vertical targeted and hit. We're seeing attacks from nation states like China, Russia, North Korea, Iran. We're seeing ransomware groups weaponize this.

Most recently we saw what we call a worm or a self-replicating piece of code that has automation attached to it so that it can impact more and attack more faster than we typically see from normal, you know, hands on keyboard type of hackers. So right now it's kind of open season for this vulnerability. And companies and corporations all over the world, including, you know, the defensive side of the house, DOD, you know, the Critical Infrastructure-- Critical infrastructure Security Agency, everybody's going around assessing you know what they can do to really try to fix this as fast as possible. But unfortunately, it's not to be an easy fix, and this is going to be one that hits us probably for several years.

- When you say several years, I mean, it's hard to calculate the potential costs. But are we seeing the marshaling of resources that you think are necessary to attack this problem? And if not, how do we get there?

DAVID KENNEDY: I think the big corporations that have dedicated security teams that have large it staffs are really spending the time to try to address this as quick as possible. The issue you start running into is hospitals, small and medium-sized businesses, you know, organizations or governments that don't necessarily have the sophistication level to understand what this vulnerability is. And that's really where our large concern is at.

Our teams over a TrustedSec are literally working 24 hours a day right now trying to respond to these four companies that are being hacked because they don't understand the full extent of this vulnerability. So I think the attention around how severe this is really hasn't been communicated very well to organizations. And really, you know, we're going to see a lot more attacks occur over the next set of several weeks as these attackers get more and more advanced with these types of attacks.

- So is it a question of that they're getting more advanced? Or are we sort of lagging in our capabilities? And are companies investing enough in cybersecurity awareness and threats?

DAVID KENNEDY: That's a great question. And you're absolutely right in the sense that, you now, organizations when they adopt technology-- and everybody has to use technology to operate as far as the business is concerned in the 21st century-- they are not investing enough in critical infrastructure, protecting our nuclear power plants, water treatment facilities in their own businesses. But it's also because security is still a very complex situation where there's no simple fix.

It's not like you can buy a specific piece of gadgets or a widget that protects you against hackers. It requires investment in time and people and really understanding what the threats are out there to really protect yourself. And I think that's the biggest issue is the complexity that security has right now in the event with technology progressing so fast these hackers are moving so fast. It's very difficult in a moving scale to try to compete with that.

- And we have time for one more here. And President Biden could take the podium at any time. But you were an advisor-- I'm switching gears here, you were an advisor to "Mr. Robot."

That might be even cooler than your gig for the NSA in my humble opinion. But you got even a shout out from Rami Malek. And can you tell us about that experience.

DAVID KENNEDY: Yeah, you know, Kor Adana, one of the technical producers for the show said, hey, make sure you check out this episode. There's going to be something cool there for you in the episode, and see if you can spot it. And so I happened to be watching the TV show and Rami Malek who plays Elliot on "Mr. Robot" was being escorted out or trying to be escorted out by security in evil corp which is one of the fictitious companies there.

And as he was walking out he went into a room and started what we call social engineering the room that he was in. And he said, hey, my name is Dave Kennedy. I worked on Craig on the Q44 push. I had longer hair than.

He was basically trying to impersonate me in this scenario. And I'll tell you, family members, my mom, my dad everybody started calling me, like, oh my gosh, he just dropped your name on the TV show. So it was one of the coolest things I think I've ever seen in my career being able to be part of that show and to help out with it as well as the response back from you keeping an accurate portrayal of hackers and things of that effect was really cool.

- And we got time for potentially one more. Biden is still approaching the podium we think. Any other consulting that you've done that might be interesting to our viewers here?

DAVID KENNEDY: You know, you get to see a lot of crazy things. I was actually in a Chris Brown rap video where I played a hacker in the background there and I did all the technical skits for that. I never thought being a computer nerd in high school would have ever attributed to being in anything like that. I literally had dancers doing flips behind me and I was pretending to hack into a phone to delete pictures of somebody on their phone. So I got to do a lot of cool things like that.

But in our consulting experience, you know, we get to hack into buildings and break into banks. I've actually broken into a bank vault and took all the money. I had to put it back and fortunately, but some great experiences you have in this type of industry.