The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week.
The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses.
This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended.
According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk.
According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers.
Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.”
John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.”
The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected.
The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting.
The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
- Address Continued Risks of Log4j
- Drive Existing Best Practices for Security Hygiene
- Build a Better Software Ecosystem
- Investments in the Future