on 9th December, When the Apache Software Foundation uncovered a massive vulnerability in its Java logging library, Log4j, it triggered a cat-and-mouse game as IT professionals raced to secure their systems against cybercriminals. Looking to exploit a huge, now-known, issue. These included clients of George Glass, the head of threat intelligence in governance, and risk company Kroll. “Some of the companies we talked to knew there were applications that were affected,” he says. Problem? He had no access to them. “Maybe it’s a SaaS platform or it’s hosted elsewhere,” he says. They weren’t able to patch the Log4j binary themselves, and were instead faced with a difficult decision: shut down that specific application and stop using it, potentially reconfiguring their entire IT infrastructure. , or take the risk that third-party fixes will come quicker than state-sponsored and private hackers are trying to take advantage of.
At the same time as cyber security experts were trying to figure out their vulnerability to the problem, they were struck by the constant warnings and forced them to act more quickly. First, the US Cyber Security and Infrastructure Security Agency (CISA) set up federal agencies A deadline of Christmas Eve is to find out if they used Log4j in their system, and patch it. CISA Director jane easterly Said it was the most serious vulnerability he had seen in his career.
Freeze To help IT professionals understand if they need to do something, CISA created a 12-part flow chart diagram (“weak,” “no”) with three steps, two verification methods, and multiple routes and three outcomes. Provided a five-step process with “vulnerable,” and, confusingly, “not potentially vulnerable”). In early January, federal agencies had started work Log4j is trying to identify any exposures to the vulnerability, but specifically hasn’t completely fixed it. “All the major agencies have made significant progress,” says a CISA spokesperson.
Then, on January 4, CISA and the Federal Trade Commission issued a warning for American businesses. “When vulnerabilities are discovered and exploited, it carries the risk of loss or breach of personal information, financial loss and other irreversible damages,” the FTC wrote. “It is critical that companies that rely on the Log4j Act and their vendors now enact the Act, to reduce the potential for harm to consumers and avoid FTC legal action.”
The federal body said it would not hesitate to exercise its full legal authority “to pursue companies that seek to protect consumer data from risks resulting from log4j, or similar known vulnerabilities in the future, to take appropriate steps.” I fail.”
The statement shifted the calculation of risk and liability to businesses. They feel compelled to act when they are threatened with legal action. The challenge, however, is finding out whether they are affected.
The ubiquity of Log4j makes it difficult to know whether an individual organization has been affected. first searched MinecraftSince then, the Log4j vulnerability has been found on cloud applications, enterprise software, and everyday web servers. The program is an event recorder, which monitors simple actions, both routine and errors, and reports them to system administrators or users. And Log4j is a small but common component in thousands of products—many of which are then bundled into larger projects. So-called indirect dependencies—packages or parts of programs that businesses use as part of their IT solutions that inadvertently use Log4j—are one of the biggest risks, Google obeysWith more than four out of five vulnerabilities, there are many layers hidden in the interconnected web of software.
“The FTC has decided to go with a big hammer,” says Ian Thornton-Trump, chief information security officer at threat intelligence firm Syjax. But he doesn’t necessarily think it’s the right move, calling it “interesting” and an unhelpful way to rectify the situation. Thornton-Trump believes that large companies are conscious of what they should do when faced with an issue like this, and they don’t have to turn their necks down to the FTC to take action. “You don’t need a federal government agency telling you what the priorities are for your business when they don’t even know what your real business risk might be,” he says.
Others disagree. “Part of the chaos is that all of these large supply chain issues can lead to a disproportionate effort to remedy,” says Katie Mausoris, founder and CEO of Luta Security, a cybersecurity consultant. “So I think the pressure from the FTC is significant.”
The FTC’s bravery in forcing companies to act is the end result of a government department that genuinely wants to help businesses in the United States and abroad, but is constrained by a lack of political will through meaningful cybersecurity legislation. which is not specifically focused on the limited. Areas like health care or financial data, Thornton-Trump says. As a result, US cybersecurity policy is reactive, trying to fix issues after coming under the penalty of legal action rather than being proactive, they argue. Still, the FTC’s move is a significant one: although the FTC is the only government body globally that issues warnings to companies to fix the problem or else, the Log4J vulnerability affects hundreds of millions of devices.
Some businesses that fall under the regulator’s purview may have unforeseen crises to deal with – for example, companies that have CCTV security cameras that are exposed to the Internet without compensatory controls, calling it “absolutely disastrous.” can be found,” Thornton-Trump says. Any Internet-of-Things devices that use Log4j and are vulnerable can act as an open door for hackers, allowing them to easily access a much larger, more lucrative network whose Through this they can wreak havoc. Thornton-Trump saw such an attempt at one of its clients, a managed service provider in Canada. “The firewall traced Log4j exploit attempts to hit the CCTV cameras that were exposed,” he says. Thankfully, it was a security company scanning for vulnerabilities, not a malicious attack.
It is unlikely that many businesses will be able to meet the FTC’s demand to find and path the Log4j vulnerability immediately. Nor is it immediately clear how the FTC would be able to investigate whether an organization was exposed to the Log4j vulnerability and did nothing, given how troubled businesses are exposing their own risk. . In fact, the FTC’s warning comes at a time when Global shortage of cyber security professionals And work from home practices are putting more pressure on the system than ever before, says Thornton-Trump. “They may not even have the ability to patch updates on it because their software that is vulnerable, is out of the lifecycle, or has been sold to a developer.”
Such issues, he says, are likely to adversely affect small and medium businesses – and make it impossible to easily fix. Sonatype Analysis has found that about 30 percent of Log4j’s consumption is from potentially vulnerable versions of the tool. “Some companies just don’t get the message, don’t have the content, and don’t even know where to start,” Fox says. Sonatype is one of the companies that provides a scanning tool to identify the problem, if it exists. A client told them that without it, they would have to send an email to the 4,000 application owners they work with and ask them to personally find out if they had been affected.
Part of the issue, of course, is the excessive reliance by for-profit businesses on open source, free software developed and maintained by a small, overpriced team of volunteers. The issues with Log4j are not the first— Heartbleed bug that devastated OpenSSL in 2014 There’s one high-profile example of a similar problem—and it won’t be the last. “We wouldn’t buy products like cars or food from companies that had really terrible supply chain practices,” says Brian Fox, chief technology officer at Sonatype, a software supply chain management and security specialist. “Yet we’re doing it with software all the time.”
Companies that know they use Log4j and are on a fairly recent version of the utility need not worry and have little to do. “It’s the best answer to this: It can actually be very simple,” says Fox.
The problem comes when companies don’t know they use Log4j, because it’s used in a small portion of a fetched application or tool that they don’t have any monitoring, and it doesn’t. Know how to start looking for it. “It’s like figuring out what iron ore went into the steel that found its way into the pistons in your car,” says Glass. “As a consumer, you have no chance of finding out.”
Log4j’s vulnerability, in a software library, makes it difficult to fix, says Moussouris, because many organizations have to wait for software providers to patch it themselves—something that can take time and testing. “Some organizations have highly technical skilled people inside them who can perform various mitigation tasks while they wait, but essentially, most organizations rely on their vendors to produce high quality patches that contain those packages. updated libraries or updated content,” he says.
Yet companies large and small across the United States and around the world are moving forward, and rapidly. One of them was Starling Bank, a UK-based challenger bank. Since its systems were largely built and coded in-house, they were able to quickly find that their banking systems would not be affected by the Log4j vulnerability. “However, we also knew that there could be potential vulnerabilities in the code generated from the third-party platforms and libraries we used,” says Mark Rampton, the bank’s head of cybersecurity.
were there. “We quickly identified instances of Log4j code that were present in our third-party integrations…