Cybersecurity is at the forefront of everyone’s minds as we kick off the new year. In December, the Log4j exploit, a bug within the Log4j Java-based logging library, rose to prominence, leaving cybersecurity experts everywhere racing to patch it.
Logging programs normally keep records within software, but it was recently discovered that this library allows for Remote Code Execution, letting malicious agents run their own code or conduct denial-of-service attacks on servers using the library.
Though new cybersecurity vulnerabilities emerge regularly, this exploit is particularly worrying due to the software’s ubiquity. Log4j is part of the Apache open-source software project, the self-proclaimed “most popular open-source software.” Within less than a month, hackers had attempted to use the Log4j vulnerability to access almost half of the world’s corporate networks, according to cybersecurity firm Check Point.
Entities from financial institutions to universities to governments are at risk, and even nation-state actors have been observed to exploit the Log4j issue. Microsoft’s Threat Intelligence Center has discovered that the governments of China, Iran, North Korea, and Turkey have backed groups using this exploit. The vulnerability has caused engineers to work around the clock to look for and patch the bug everywhere from Google to Minecraft servers.
With concerted efforts from widely used services and Apache’s new security patch, the greatest cause for concern may be for organizations that don’t realize their systems are vulnerable and wouldn’t be inclined to fix the problem themselves.
The Cybersecurity and Infrastructure Security Agency (CISA) gave civilian Executive Branch agencies an emergency directive to fix their Log4j vulnerabilities. Regulation for the private sector is fast approaching.
In the first week of January, the FTC announced possible legal action against companies that do not patch Log4j issues. Citing the Federal Trade Commission Act and the Gramm Leach Bliley Act, damages that arise from failing to patch a known vulnerability can result in litigation similar to Equifax’s data breach settlement. The credit reporting company agreed to pay a $700 million fine to the FTC, CFPB, and individual states for failing to fix a bug in the Apache Struts open-source software, compromising the sensitive data of 147 million consumers.
To help affected organizations avoid legal action, the CISA has released guidance on mitigation steps to take, including updating products using Log4j and distributing guidance to end users and other vulnerable parties.
In large part, the recommended mitigation strategies rely on testing for the exploit. The CISA, along with several private sector firms, have supplied software that scans for Log4j vulnerabilities. When a vulnerability is discovered, CISA recommends that affected organizations complete the appropriate updates, conduct a security review, and report any compromises to the CISA and FBI. Because of the possibility of “back doors,” it’s important not to depend on software updates as a complete solution, but rather one part of the mitigative process.
More broadly, addressing ongoing cybersecurity threats requires a comprehensive view of your institution’s IT risk and compliance posture. As regulatory burden continues to grow, organizations will struggle to meet compliance requirements unless their cybersecurity management and monitoring processes are part of an integrated strategy.