On Dec. 10, 2021, Wired magazine published an article aptly titled, “The Internet Is on Fire.”
In a time of widespread ransomware and high profile data breaches, a new risk had risen to the top that alarmed security researchers and cybersecurity professionals alike: Log4j.
Fast-forward a year, and security teams have tools available to scan for potentially vulnerable services, security controls to mitigate potential attacks, and fixes to prevent cyber criminals from exploiting Log4j.
Armed with the benefit for hindsight, what can security teams and organizations learn from this widespread vulnerability to better protect themselves from the next major threat?
Here’s my take:
Originally released in the early 2000’s, Apache Log4j is an open source library of functions that developers use to handle logs for Java-based applications—hence the name. Because Java is a common programming language used across a wide range of applications—from enterprise applications to smart TVs—Log4j quickly became a ubiquitous tool running in the background of many services.
Log4j’s designed role is to help administrators better understand when and why applications aren’t running smoothly by providing information about why an error occurred. Log4j can create events with data such as usernames, passwords, form information, browser headers, and more in a log file or database.
By manipulating the log messages or log message parameters that flow during normal authentication activities, attackers were able to gain remote code execution—commonly known as Log4Shell—in order to gain control of or alter a device. From there, attackers could expand their access and pursue ransomware, data exfiltration, and other attacks.
The presence of this vulnerability was privately disclosed to the Apache Software Foundation on Nov. 24, 2021. The first fixes for the defect came on Dec. 6, 2021, followed by public disclosure of the vulnerability three days later on Dec 9. The vulnerability can still affect organizations if their version of Java has not been updated.
New software vulnerabilities are being discovered, disclosed, and exploited by cyber criminals every day. While not every vulnerability will be as ubiquitous and dangerous as Log4j, this reality will likely always be a part of our digital world. However, organizations have tools and best practices that they can turn toward to mitigate their risks and increase their chances of staying ahead of the next big threat.
In the wake of the Log4j vulnerability, these following lessons are even more important to heed:
Although public knowledge of the vulnerability was made within two weeks of its disclosure to Apache, the vulnerability had existed since 2013. Criminals could have known of the Log4j risk for years before it was disclosed to Apache.
That’s why your organization cannot put the safety of its employee and customer data—as well as its network and endpoint security—low on your organization’s priority list and just hope that the right information will make it to your team when it really matters.
Instead, organizations need to take a proactive stance with cybersecurity and make evaluating, reporting, and patching potential risks a part of their normal course of business. Organizations can do this by:
Leveraging proven risk management frameworks to consistently and comprehensively evaluate your operations for potential security and privacy risks.
Encouraging and empowering employees across your organization to identify and report risks.
Establishing and regularly following a patch management process across your organization to ensure that threat intelligence and security development best practices are integrated into your enterprise.
Do your employees know exactly what to do when your organization is breached or is alerted to a severe issue like Log4j?
If your answer isn’t a confident “yes,” then your organization needs to have an incident response plan in place—and to put it to the test regularly.
An incident response plan ensures that the right staff and procedures are in place to effectively handle a security threat in a structured, consistent, calm, and thorough manner. It’s important to take the time to work with security experts and stakeholders across your organization to create, test, and refine your incident response plan. That way, when the pressure is on and every second counts, correct decisions about what to do and who to notify can be made to bring the situation back to a steady state.
In addition to often being a security requirement to remain compliant with industry and regulatory standards, having an incident response plan can give your executives, security team, and other stakeholders the peace of mind that incidents will be handled effectively.
Introducing new services, technology, and processes to your operations is part of growing your business and responding to evolving customer expectations. However, threat actors are constantly probing and prodding at these applications to find new ways to misuse or manipulate their code and configurations to their advantage. This malicious research occurs around the clock and around the world.
Organizations are quickly turning toward the support of comprehensive vulnerability detection. Leading vulnerability detection platforms have thousands of security researchers continuously working to identify and report on security vulnerabilities that align to your unique application ecosystem.
When used in conjunction with end-point protection and security awareness training, access to comprehensive monitoring, actionable threat intelligence, and detailed reporting provided by experts amplifies your organization’s ability to identify issues early and resolve them fast.