Fault Log4j: 10 questions you need to ask
The UK National Cyber Security Center (NCSC) is urging company boards to start asking key questions about their readiness to reduce Log4Shell's widespread, critical flaw and rebalance in component error log based on Java Log4j.
NCSC calls Log4Shell "probably the worst computer vulnerability in years" and called on company boards to deal with this beast with urgency. It confirms that the Log4j bug - also known as Log4Shell - is a software component rather than a piece of software, which makes tuning much more complex.
Log4Shell is bad news today and is likely to slow down in enterprise systems for years despite major efforts by the U.S. government, major technical donors and open source to address flaws in the original Log4J version 2 project, implemented in major software products, and used in hundreds of millions of enterprise applications, servers and internet front-end tools.
LOG4J FLAW COVERAGE - WHAT WE ARE INFORMED NOW
There are ongoing efforts through the Apache Foundation to capture the core Log4j project, as well as downstream efforts by IBM, Cisco, Oracle, VMware and others to capture products that contain vulnerable versions of the Log4j component. Google has also released tools to prevent developers of vulnerable versions of Log4j in new builds of open source software. And the U.S. government has ordered all federal agencies to capture or discount Log4Shell before Christmas.
The crisis is reasonable. State-backed hackers have begun investigating the beast for possible future attacks, according to Microsoft and Google, while cyber criminals find out how to make a profit out. At the same time, the Belgian Ministry of Defense launched an attack on their network using the Log4j beast.
Key challenges include NCSC involving organizations in identifying which services use Log4j; identify which of these services an organization uses; and then find out if these services are vulnerable. CISA has asked all U.S. federal agencies to enumerate any front-end devices with Log4j installed. That's no small task, especially given the number of products affected by Cisco, IBM, Oracle and VMware. Due to the widespread use of the component in other products, CISA estimates that hundreds of millions of devices worldwide are open.
"How concerned should boards be?" NCSC asks.
Well, unless a business can break into its work from ransomware. While Microsoft has not found examples of the ransomware that are more dangerous to people using the vulnerability, it has seen Iranian threat actors working to use it for ransomware attacks.
NCSC has posed 10 questions to boards concerned about the fault:
- Who is ahead of our response?
- What is our plan?
- How will we know if we are being attacked and can we respond?
- What is the percentage visibility of our software / servers?
- How do we deal with IT / shadow devices?
- Do we know if major suppliers cover themselves?
- Is anyone in our group developing Java code?
- How do people describe issues they find for us?
- When did we last review our business continuity and emergency response plans?
- How do we prevent teams from firing out?
Boards should also consider the impact of Log4Shell if the business has to report where personal data has been affected, as well as any costs associated with responding to and recovering from an incident, and reputational damage.
“Managing this risk requires strong leadership, with senior managers working with technical teams to first understand their organisation's understanding, and then take appropriate action. "
NCSC states that Log4Shell guarantees organizations the creation of a “tiger team” of key employees, including a director, to deal with the threat. Boards should also ask 'what is our plan? ', And understand how Log4j issues can be remedied. Boards should understand that this will take weeks or months for remediation, not days.
Boards should know how the company is prepared to respond to a Log4Shell attack if and when it occurs, and whether the company can determine whether such an attack could occur. It emphasizes that boards should understand the visibility of their teams of vulnerable software and servers, including centrally managed and unmanaged IT funds.
LOG4J FLAW COVERAGE - HOW TO DO IT TO HELP YOU
The software supply chain is another key consideration. NSCS recommends that organizations have an "open and honest conversation" with software providers as a service that may be trying to capture what their products are affected by.
Java is a popular programming language in enterprise IT used by approximately 12 million developers worldwide.
“Java developers may have used Log4j legitimately, so it’s important to make sure that no scripting software is vulnerable,” NCSC notes. As previously mentioned, Log4j version 2 ships with the popular Apache frameworks Log4j version 2 (Log4j2) including Struts2, Solr, Druid, Flink, and Swift.
Finally, after two years of supporting remote operations during the pandemic, a year of professional ransomware attacks and state-sponsored attacks on the software supply chain and the critical day-to-day Exchange Server vulnerabilities, NCSC warns that some cybersecurity teams could suffer burns. during Log4Shell treatment. This is a board level concern.
"Correcting this issue is likely to take weeks, or months for larger groups. The combination of an ever - changing situation (and the potential for adverse effects) can lead to a burnout. defense, if they do not have the support of leadership, "the NSCS stressed.