On December 10th, 2021, a critical vulnerability in the open-source Apache platform known as Log4J was made public. This has created a lot of concern and consternation amongst IT professionals, systems administrators, and business leaders across a wide spectrum of industries. In fact, several horrifying and high profile breaches have now occurred as a result:
What you’re reading is true and for many reasons, it’s a scary bug.
- It is widely used as part of many public and private systems such as network equipment, public websites, and software packages;
- It is part of a web server solution so by its nature, it has the potential to affect systems connected to the Internet;
- The flaw is easy to exploit and allows taking full control of an affected system, and;
- Identifying the impacted systems is challenging because it is part of such a broad array of products and solutions, and applying patches may result in downtime for critical business systems.
When these types of bugs are disclosed, it creates a lot of noise from the cybersecurity community; much of it, well justified. This is a serious issue affecting governments, large businesses, and the data of millions of people. Drawing attention to it helps to mitigate the threat.
As serious as it is, there are businesses – well-prepared, with diligent cybersecurity programs – that have been able to respond with relative ease. It requires having the following controls and systems in place:
- Layers of overlapping protections (defense-in-depth) limiting the impact of weaknesses or failures. For example, if you had a web application or endpoint open to the Internet that was vulnerable to Log4J, a Web Application Firewall (WAF) like CloudFlare would have protected your system from exploit until you were able to properly patch the vulnerable application.
- An accurate and up-to-date inventory of systems and software so that a quick assessment could be made, allowing an effective mitigation plan to prioritize systems at greatest risk. Internet-connected systems could be patched or taken offline. Subsequent patching of remaining systems could be completed within an appropriate timeframe.
- Existing vulnerability management tools to run additional discovery, identifying potentially overlooked systems. Sometimes inventories are incomplete or important details are left out. Using EDR software and a network scanning tool can help quickly identify any systems that may have been overlooked.
- A patching program that reliably schedules patching across systems and can deploy on-demand patches based on CVE ratings and other defined criteria.
- Monitoring and logging tools to help identify any systems that may have already been compromised or those that require evaluation to ensure they were not compromised before the patches or mitigations could be applied.
Using security frameworks like NIST’s Cybersecurity Framework (NIST CSF) help organizations evaluate and implement effective cybersecurity controls like the ones described above. This is how Ihloom helps protect its clients every day. Our evaluative measures, management tools, and best practices help businesses prepare for these inevitable events, maintain a robust security posture, and avoid what now seem like the weekly security scares and “patch now” events.