The Cyber Safety Review Board (CSRB) recently labeled the Log4j security exploit as an ‘endemic vulnerability’ that will linger for years, according to a report released on Jul 11, 2022. The vulnerability itself was discovered back in December 2021, requiring little to no hacking skills in order to take advantage of the gap in security measures.
“We are at a significant juncture in the tech and cybersecurity industries and the CSRB’s findings signal a direction for the future,” said Daniel Trauner, senior director of security at Axonius. “At some point, we’re going to see even more visible use of Software Bill of Materials (SBOM) reports. Just as the FDA expects consumers to be able to stay informed about what they’re putting in their bodies by way of standardized nutrition facts labels with clear lists of ingredients, businesses and other entities using software will want—and ultimately need—transparency about what goes into the software they’re using.”
CRSB’s findings on Log4j
The Log4j vulnerability, also known as Log4Shell, is an open source Java-based logging framework that collects and manages information about system activity. In addition to being easy to use, the file is both free to download and is extremely effective. Amongst Java developers, this piece of software has also been embedded into thousands of other software packages. The ease of use has some hackers looking to exploit numerous pieces of software that have not yet been patched as part of Log4j.
The mistake was found and published as proof-of-concept by an engineer for Alibaba’s cloud security team. This became a serious issue on December 9, 2021 after the vulnerability was made public, as researchers at Cloudflare found that there were 400 scans per second to attempt to take advantage of compromised systems using the software. Security professionals since then have made it a priority to mitigate the potential risk faced by this exploit being easily and widely available to the masses.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Tips for staying safe against the Log4j exploit
In order to prepare for the long-term effects caused by this vulnerability, CSRB recommends the following tips for organizations to follow:
- Address continued risks of Log4j
- Drive existing best practices for security hygiene
- Build a better software ecosystem
- Invest in the future
By preparing to address the Log4j vulnerability long-term, organizations can do a better job of both observing and reporting actions to the proper authorities for monitoring purposes. This will allow the requisite agencies to collect the data necessary to address the exploit in real time.
While these additional tips should come in handy, other cybersecurity experts have chalked the exploit up to businesses simply having poor security practices and habits. Understanding what information and data is being protected could lead to developing better cyber defense methods down the road.
“What’s at the root is that most organizations have terrible asset management practices. Simply put, if you don’t know what you have, you can’t possibly secure it,” said Matt Chiodi, chief trust officer at Cerby. “Asset management is extremely hard, especially when you factor in cloud applications. When it comes to your own homegrown applications in the cloud, developers rarely keep track of what software components they use. For SaaS applications, you need to count on the vendor knowing what they’ve developed and which software components are being used. This is all about software supply chain security, which is broken today.”