What is the Log4j vulnerability?

By Jason Golden | January 11, 2022

All NH businesses should be aware of the threat and take necessary action

The top U.S. cybersecurity officials have called the Log4j vulnerability one of the most serious security flaws in decades. The Common Vulnerability Scoring System (CVSS), which rates the severity of security flaws on a scale of one to 10, rates the Log4j vulnerability a 10. Currently, any application using Log4j is at risk, giving cybercriminals an easy, password-free entrance to your systems. Businesses in New Hampshire should be aware and take necessary action.

Log4j is a Java-based, open-source logging software used to store and file information such as user activity to help companies understand potential bugs or performance issues. Open-source libraries like Log4j are common. In fact, 60.8 percent of all Java-based applications use Log4j in some sort of third-party application, but it’s often buried under layers of other software. According to U.S. cybersecurity officials, this means hundreds of millions of devices can be impacted by the Log4j vulnerability.

How the Log4j vulnerability threatens businesses

The source of the problem with the Log4j vulnerability is in what’s called Remote Code Execution (RCE). It’s the worst kind of vulnerability. Through RCE, a hacker can take control of your systems remotely, taking full access of your computer to steal, ransom, or erase critical information.

Right now, with Log4j, we’re in what’s known as “zero-day vulnerabilities,” meaning there isn’t a patch yet. When this happens, if you don’t already have a plan with predefined roles and responsibilities, you’re already starting at a deficit. It’s important to be intentional about your organization’s cybersecurity by taking inventory of your team, roles and responsibilities; cataloging your systems; deepening your defenses; and communicating openly and frequently.

Here’s what you need to do ahead of time:

1. Take inventory of your team, roles and responsibilities.

You need to have the right people with the right skill sets supporting your information security program, which is different from just managing your IT. It also depends on your industry and what’s specifically required. For example, government contractors fall under certain guidelines and regulations and often have contract requirements to follow standards such as Cybersecurity Maturity Model Certification (CMMC) Preparation.

2. Catalog your systems and vendors.

You need an updated record of all your systems, how to protect them, and your vendor contacts. Many organizations use third-party vendor software, and some may even use internally developed software, which is often created for functionality but not for security. For example, if your payroll system is owned by another vendor, you can’t put a recovery patch on that system directly because you don’t own it. Instead, you’ll need to monitor your systems and communicate with vendors on the plan and next steps for patching the security hole.

3. Deepen your defensive layers.

Your security needs depth and layers to prevent malicious users from getting access to all your systems. Three common mitigating controls for your security defenses are strong passwords, multi-factor authentication (MFA), which requires a user to provide multiple ways to confirm their identity, and endpoint detection and response (EDR) tools, which combine real-time continuous monitoring with automated alerts. Defensive layers are important because if you do get a zero-day vulnerability, it’s a race between cybersecurity experts searching for a way to patch the vulnerability and hackers trying to barricade their way in.

4. Communicate frequently with vendors, business leaders and customers.

Communication is a huge part of cybersecurity operations. If you were to have a max security threat, you need to be able to explain the worst-case scenario of what will happen if a system is taken over. The truth is cybersecurity experts can’t prevent everything. You have to create disaster recovery and business continuity plans with great intentionality. You have to design plans with the worst-case scenario in mind and communicate that clearly to business leaders and vendors. If not, you’re set up for failure.

Vulnerability is possible with any software

Sure, open-source programs are prevalent, but this sort of vulnerability doesn’t just happen only with open-source software. There are enterprise-level applications used by Fortune 500 companies that suffer the same problems too. It’s a war between hackers looking for an open door to exploit and ethical teams scrambling to close that door. Regardless of the type of vulnerability, there are two things to ask immediately: what’s in our control, and what’s outside our control? Anything that is in our control, we can immediately scan for its existence and instantly go into patching. Anything outside of our control, we begin the conversation with the vendor providing the software to see if there is a patch right away or if we must go in remediation mode either to turn off systems that aren’t mission-critical or to monitor and mitigate further risk.

If at the moment, you don’t have the luxury of planning, please contact an expert with in-house resources.

At Mainstay Technologies, we have a team of security professionals monitoring, patching, and testing for vulnerabilities like Log4j. Our teams of security professionals and systems administrators inventory all our clients’ systems, software, and third-party applications. We know who to reach out to and communicate with regarding patching schedules, and outside of that, we make sure your security environment has depths and layers built into its fabric. These are the skill sets you should look for to most effectively combat vulnerabilities like Log4j.

This article was originally published by the New Hampshire Business Review.