Expect Log4j to be Exploited "For Years to Come," CSRB Says | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Expect Log4j to be Exploited "For Years to Come," CSRB Says

by Chris Brook on Monday July 18, 2022

Contact Us
Free Demo

A new report, the first from DHS' Cyber Safety Review Board, includes recommendations to address the Log4j vulnerability.

For defenders, the trouble associated with Log4j, which has been used as shorthand as Log4Shell, a critical remote code execution (RCE) vulnerability in Apache’s logging tool Log4j since its discovery last year, has been well documented.

Since its discovery in late November, the U.S. government has cautioned that organizations take action to protect against Log4j exploitation and in many scenarios, assume compromise first, then monitor for malicious activity.

A new report issued on behalf of the Department of Homeland Security last week probably won’t do much to assuage administrators’ fears around the vulnerability. The report, the first from the department's Cyber Safety Review Board - a consortium established as part of President Biden's Executive Order (EO) 14028 on 'Improving the Nation's Cybersecurity' - warns the Log4j vulnerability is "endemic" and that it could linger in systems for years to come, potentially as long as a decade.

As grave as that diagnosis sounds, it can be argued that it’s made worse by the fact that many organizations lack the right tools to detect compromised software and locate potentially affected software assets.

“At this time, Log4j has become an “endemic vulnerability” that will be exploited for years to come. The impact to organizations over the long term will be difficult to assess without better tools for discerning real exploitation and centralized reporting of successful compromises,” the CSRB writes.

For the report, the board, which is comprised of 15 experts from both the U.S. government and the private sector, talked to nearly 80 organizations to get a better idea of what happened in leading up to the bug's disclosure and recommendations to take to mitigate exploitation.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity,” CSRB Chair and DHS Under Secretary for Policy Robert Silvers said following the report’s release.

Just because the board believes the vulnerability isn't going away anytime soon doesn't mean organizations shouldn't continue to exercise vigilance however.

In addition to continuous monitoring, to ensure vulnerable versions of Log4j don't get introduced into systems, the CSRB is still urging CISOs at organizations to report any incidents involving Log4j to the FBI or CISA.

The board is hoping the incident serves as a wake-up call for organizations to adopt industry-accepted practices around vulnerability management and security hygiene, like ensuring they have the means to maintain an IT asset and application inventory so they'll know which assets are part of their systems. In addition, organizations should ensure they have a documented vulnerability disclosure and handling process and a vulnerability response program in place to delegate fixing such issues.

Lastly, the board is stressing that Log4j has increased the need for software that's secure by design. That means tapping open source developers for security initiatives, training developers in secure software development, upping investments in open source software security, and improving SBOM - software bill of materials - adoptability, something that should in theory make it easier for organizations to know when software is comprised of vulnerable software.

These are only a handful of the 19 specific recommendations the report outlines for government and industry entities to follow. Those looking for more in-depth insight should read the 52-page paper; recommendations start on page 18.

Log4j is used in a wide swathe of consumer-facing and enterprise services, websites, and applications. That the board found that many organizations, six months after the fact, still haven't fully patched vulnerable instances of Log4j should indicate just how widespread the issue is going to continue to be for the industry.

CRSB's findings, coupled with CISA's guidance on detecting and mitigating the vulnerability, should help organizations continue down the right path, however.

Tags: Vulnerabilities

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.