How to protect against 'endemic' Log4j vulnerabilities
A US government report details a series of recommendations to help counter the Log4Shell flaw in the long term
The US Department of Homeland Security has released the Cyber Safety Review Board’s (CSRB) report into Log4j vulnerabilities, which details actionable recommendations for government and industry.
The CSRB is a new public-private initiative within CISA that aims to bring together government and industry leaders to review and assess significant cyber security events and threats.
The board’s first report addresses the “continued risk” posed by the Log4Shell vulnerability in the widely used Log4j open-source software library, discovered in late 2021. It is one of the most prominent cyber security threats of recent years.
Described as “one of the most serious vulnerabilities discovered in recent years”, the CSRB’s recommendations focus on driving better security in software products, as well as enhancing organizations’ response abilities.
“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” commented Secretary of Homeland Security Alejandro Mayorkas, who delivered the report to President Biden.
Grabbling with the Log4Shell vulnerability
First disclosed on 9 December 2021, Log4Shell is a zero-day remote code execution vulnerability in Java logger Log4j, which was awarded a 10/10 criticality rating by CISA.
In a nutshell, the flaw enables attackers to submit a specially crafted request to a vulnerable system, causing it to execute arbitrary code. As a result, the attackers can take full control of the affected system from a remote location.
According to CISA, cyber threat actors have continued to exploit the vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Log4Shell: Recommendations and best practice
The CSRB engaged with nearly 80 organizations and key individuals to gather insights into the Log4j event and develop actionable recommendations for future incidents.
The 19 recommendations outlined in the report have been split into four categories; the first focuses on addressing the continued risks and states that both organizations and government bodies should be prepared to apply vigilance to Log4j vulnerabilities “for the long term”.
An analysis of the European cyber threat landscape
Human risk review 2022Free Download
The second outlines recommendations for driving best practices for security hygiene, advising adoption of industry-accepted best practices and standards for vulnerability management. That includes investment in security capabilities and development of response programs and practices.
The third category advises organizations on building a better software ecosystem to move to a proactive model of vulnerability management, including increasing investments in open source software security, as well as training software developers in secure software development.
Lastly, the fourth group notes that investing in new systems and groups for the future will be essential in securing the US’ infrastructure and digital resilience in the long term.
“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” said Robert Silvers, CSRB Chair and DHS Under Secretary for Policy.
“Our review of Log4j produced recommendations that we are confident can drive change and improve cyber security.”
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download