Organizations that adopt technology for their business must carefully tread the path of managing the risk (e.g., financial, reputational, operational, legal) associated with vulnerabilities. However, vulnerabilities in the information age are increasingly tough to manage and their impact goes far beyond quantification. One such global vulnerability is the Log4j weakness. Attackers’ exploitation of vulnerabilities in the Log4j component in November and December 2021 impacted countless organizations around the world and will continue to be a weakness for years to come. More than 35,000 Java packages, amounting to more than 8 percent of the Maven Central Repository (the most significant Java package repository), were affected by Log4j vulnerabilities.1 A report by the Cyber Safety Review Board (CSRB) noted that the Log4j vulnerability impacted virtually every networked organization, and the severity of the threat required fast action.2 However, the absence of a comprehensive customer list for Log4j, or even a list of where it is integrated as a subsystem, hindered a speedy response. Organizations and vendors alike struggled to discover where they used Log4j, and security enthusiasts and hackers compounded the problem by combining vulnerabilities, which contributed to confusion and response fatigue.3 Given the significance of this event, there are many lessons to be learned and improvements to be made to organizations’ cyber capabilities.
Log4j Vulnerability
Log4j is a Java-based open-source software product used by many developers to collect and manage information about system activities.4 Although Log4j has been around since 2001, the vulnerability was identified in Log4j version 2, released in 2014 for general use by the Apache Software Foundation (ASF).
Based on crowdsourced information, the Cybersecurity and Infrastructure Security Agency (CISA) tracked a list of vendors affected by the Log4j vulnerability.5 Although this list is still evolving, an analysis of trends revealed (figure 1):
- Out of a total of 2,100 software vendors listed across 26 pages, the Log4j vulnerability has been fixed by approximately one-third of those vendors.
- For more than 50 percent of the tracked vendors, the remediation status of this vulnerability and/or its applicability are unknown.6
Given the widespread use of this software, the Log4j vulnerability has already been dubbed an “endemic” vulnerability.7
Cyber Safety Review Board
In light of events surrounding the Log4j vulnerability, US President Joe Biden issued an executive order establishing the US Cyber Safety Review Board (CSRB) to review major cyberevents, make concrete recommendations to enhance cybersafety in the public and private sectors, and improve the state of national cybersecurity in the United States. One of the key advantages of working in the cybersecurity field is its close-knit community, which shares and exchanges information to build collective cyberdefense capabilities. The CSRB includes both US government and private-sector members, and it has a direct path to the US secretary of homeland security and the US president to ensure that its recommendations are addressed and implemented.8
The CSRB’s first assignment was to review the significant cyberevents associated with exploitation of the Log4j vulnerability and make recommendations to help the cybercommunity improve its defense and response capabilities.
Bringing CSRB Recommendations to Life
The CSRB’s report is organized into four themes and 19 recommendations (figure 2).
Source: Adapted from Cyber Safety Review Board (CSRB), Review of the December 2021 Log4j Event, USA, 2022, http://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
An analysis of these themes indicates that the Log4j vulnerability highlighted several capability gaps that need to be fixed. The widespread attack was a wake-up call for both private- and public-sector organizations to adopt an all-hands-on-deck approach to addressing these gaps and collectively reducing the impact of similar events in the future. The foundation of cybersecurity risk management is to minimize the impact of attacks across various dimensions—business, revenue, compliance, reputation—and to recover the systems, data and business within a reasonable time. Further, because resources (i.e., scope, cost, schedule) are always limited, prioritization is necessary to reap the benefits from investments.
Broadly, if the CSRB’s four themes were categorized based on a few key attributes, the distribution would be as illustrated in figure 3.
The themes and recommendations from the CSRB report are directed toward a range of stakeholders, including organizations, regulators, government agencies, software vendors, developers and technology professionals. Figure 4 illustrates how these recommendations would be distributed among stakeholders based on primary ownership (O) and contribution/consultation (C). This is only an approximation; the reality may vary, depending on the context and technologies under consideration.
Theme 1: Address the Continuing Risk of Log4j
Figure 5 outlines the key actions and considerations recommended by the CSRB under Theme 1.
Theme 2: Drive Existing Best Practices for Security Hygiene
Figure 6 outlines the key actions and considerations recommended by the CSRB under Theme 2.
Sources: a) Stone, M.; C. Irrechukwu; H. Perper; D. Wynne; L. Kauffman; National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-5 IT Asset Management, USA, September 2018, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-5.pdf; b) Cybersecurity and Infrastructure Security Agency (CISA), “Software Bill of Materials (SBOM),” USA, http://www.cisa.gov/sbom; c) National Telecommunications and Information Administration (NTIA), “Software Bill of Materials,” USA, http://ntia.gov/page/software-bill-materials; d) Badlani, D. K.; A. Diglio; “Microsoft Open Sources Its Software Bill of Materials (SBOM) Generation Tool,” Engineering@Microsoft, 12 July 2022, http://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-software-bill-of-materials-sbom-generation-tool/; e) Lum, B.; M. Maruseac; I. Hepworth; “Announcing GUAC, a Great Pairing With SLSA (and SBOM)!” Google Security Blog, 10 October 2022, http://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html; f) Cybersecurity and Infrastructure Security Agency, Cybersecurity Incident and Vulnerability Response Playbooks, USA, November 2021, http://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf; g) International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), ISO/IEC 27034-1:2011 Information technology—Security techniques—Application security, Switzerland, 2011, http://www.iso.org/standard/44378.html; h) Souppaya, M.; K. Scarfone; D. Dodson; National Institute of Standards and Technology (NIST) SP 800-218 Secure Software Development Framework, Version 1.1, USA, February 2022, http://csrc.nist.gov/publications/detail/sp/800-218/final
Theme 3: Build a Better Software Ecosystem
Figure 7 outlines the key actions and considerations recommended by the CSRB under Theme 3.
Sources: a) Open Source Security Foundation (OpenSSF), “Secure Software Development Fundamentals Courses,” http://openssf.org/training/courses/; b) Github, “OSSF Scorecard,” http://github.com/ossf/scorecard; c) Open Web Application Security Program (OWASP), “About the OWASP Foundation,” http://owasp.org/about/; d) Open Source Security Foundation (OpenSSF), “The Open Source Security Mobilization Plan,” http://openssf.org/oss-security-mobilization-plan/
Theme 4: Invest in the Future
Figure 8 outlines the key actions and considerations recommended by the CSRB under Theme 4.
Conclusion
The CSRB report is an important compilation of lessons learned from the Log4j cyberevent.9 Although such events can shake the belief (i.e., digital trust) in organizations and technology, they also provide opportunities to advance research and strengthen the control ecosystem. This leads to technologies that are resilient and engender confidence in the tech ecosystem. Both private and public organizations should do more than secure their own environments; they should also help secure the technology ecosystem. After all, as Vincent Van Gogh said, “Great things are done by a series of small things brought together.”10
Endnotes
1 Wetter, J.; N. Ringland; “Understanding the Impact of Apache Log4j Vulnerability,” Google Security Blog, 17 December 2021, http://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
2 Cyber Safety Review Board (CSRB), Review of the December 2021 Log4j Event, USA, 2022, http://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
3 Ibid.
4 Ibid.
5 Github, “Log4j Affected DB/Software Lists,” http://github.com/cisagov/log4j-affected-db/tree/develop/software_lists
6 Ibid.
7 Volz, D.; “Major Cyber Bug in Log4j to Persist as ‘Endemic’ Risk for Years to Come, U.S. Government Board Finds,” The Wall Street Journal, 14 July 2022, http://www.wsj.com/articles/major-cyber-bug-in-log4j-to-persist-as-endemic-risk-for-years-to-come-u-s-government-board-finds-11657796400
8 Cybersecurity and Infrastructure Security Agency (CISA), “Cyber Safety Review Board (CSRB),” USA, http://www.cisa.gov/cyber-safety-review-board
9 Op cit CSRB
10 Van Gogh, V.; http://www.brainyquote.com/quotes/vincent_van_gogh_120866
NINAD DHAVASE
Works with a big four consulting firm in Australia and has 13 years of experience in cybersecurity, with a focus on the financial services sector, including banking, capital markets, insurance and payments domains. His previous experience includes working with India’s largest stock exchange and clearing corporation, leading the cybersecurity governance, risk and compliance management areas. He volunteers as an ISACA® Journal article reviewer and has been a presenter at public forums and training sessions. The views expressed here are his own.