CSRB released a report stating that the Log4j exploit is long-term, meaning businesses need to be ready in the event of a cyber-attack.
The Cyber Safety Review Board (CSRB) has recently been labeled: the Log4j security exploit as an ‘endemic vulnerability’ that will linger for years, according to a report released on July 11, 2022. The vulnerability itself has been discovered back in December 2021, requiring little to no hacking skills to take advantage of the security gap.
“We are at an important crossroads in the technology and cybersecurity industry, and the CSRB’s findings point the way for the future,” said Daniel Trauner, senior director of security at Axonius. “At some point, we’re going to see even more visible use of Software Bill of Materials (SBOM) reports. Just as the FDA expects consumers to be able to stay informed about what they’re putting into their bodies through standardized nutrition fact labels with clear lists of ingredients, companies and other entities using software will want — and ultimately need — transparency about what goes into the software they use.”
CRSB’s findings on Log4j
The Log4j vulnerability, also known as Log4Shell, is an open source Java-based logging framework that collects and manages information about system activity. In addition to being easy to use, the file is also free to download and extremely effective. Among Java developers, this piece of software is also embedded in thousands of other software packages. Its ease of use makes some hackers want to exploit various pieces of software that have not yet been patched as part of Log4j.
The flaw was found and published as a proof-of-concept by an engineer for Alibaba’s cloud security team. This became a serious problem on December 9, 2021 after the vulnerability was made public, when Cloudflare researchers discovered there were 400 scans per second trying to take advantage of compromised systems using the software. Security professionals have since made it a priority to mitigate the potential risk that makes this exploit easily and widely available to the masses.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Tips to stay safe from the Log4j exploit
To prepare for the long-term effects of this vulnerability, CSRB recommends the following tips to organizations:
- Ongoing Risks of Log4j. tackle
- Promote existing security hygiene best practices
- Build a better software ecosystem
- Invest in the future
By preparing to address the Log4j vulnerability in the long term, organizations can better observe and report actions to the appropriate authorities for monitoring purposes. This allows the required instances to collect the data needed to tackle the exploit in real time.
While these additional tips might come in handy, other cybersecurity experts have blamed the exploit on companies that simply have poor security practices and habits. Understanding what information and data is protected can lead to the development of better cyber defense methods.
“The bottom line is that most organizations have terrible asset management practices. Simply put, if you don’t know what you have, there’s no way you can secure it,” said Matt Chiodi, chief trust officer at Cerby. “Asset management is extremely difficult, especially when you take cloud applications into account. When it comes to your own applications in the cloud, developers rarely keep track of which software components they use. For SaaS applications, you must be able to count on the supplier knowing what they have developed and which software components are used. This is all about the security of the software supply chain, which is being broken today.”
