Log4Shell – aka Log4J – is the latest software vulnerability to be discovered and, according to the Guardian, it could be the worst one to appear for several years. The CEO of Tenable called it “the single biggest, most critical vulnerability of the last decade” while the CSO of Cloudflare said they’d “be hard-pressed to think of a company that’s not at risk”. Furthermore, the Apache Software Foundation – who oversee the software in question – assigned it the maximum CVSS severity rating of 10. Clearly this is a security exploit with the potential to have far-reaching implications.
Log4J is a Java-based logging tool used in Apache open-source software – and this is product in use across the vast majority of organisations worldwide. The vulnerability, which can allow attackers to install and run code on remote devices, was first identified within (the Microsoft owned) Minecraft servers where attackers were able to exploit the vulnerability via chat messages. Additional services hit by this include Apple iCloud, Steam, Twitter, and Tencent. The German BSI said “it [is] rather easy to exploit, which causes experts great concern” – a view shared by security practitioners across the globe.
According to security firm Sophos, organisations need to:
“find any and all code in your network that is written in Java and check whether it uses the Log4j library”
An update for Log4J has been released and so all affected devices need to be patched asap but this is often the problem. As we’ve seen in previous security exploits, the gap between a patch being released and organisations installing it on their devices can be extremely large. Furthermore, organisations are not always able to identify all the devices which require the patch; both of these were key issues in the Equifax breach of 2017.
“You can’t secure what you can’t find”.
Although it may seem an obvious and perhaps even trite statement at this point, it continues to be true. Comprehensive asset discovery is the foundation for many areas critical to a business and this is a sentiment being echoed by those in the security world…at least on Twitter:
This week the internet has learned—once again—that asset management is the center of security.
It’s hard to patch what you can’t find.
— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) December 10, 2021
Asset management remains one of the fundamentals that’s still not fully embraced by orgs; it helps not only to monitor and detect, but (esp in cases like this) promptly remediate.
— BaseCyberSecurity (@BaseCyberSec) December 12, 2021
L'asset management est primordial si vous voulez faire de la sécurité!
La faille majeure #log4j le rappelle, il faut patcher vite, mais pour le faire il faut avoir un inventaire à jour!
Encore une fois, le plus important n'est pas forcément l'application 😉
— Teddy FERDINAND (@TeddyFERDINAND1) December 11, 2021
This is a great opportunity to either:
a) show the success of the ITAM/Security partnership you have cultivated, or
b) show how a stronger relationship between the two teams would benefit the business
Having a shared inventory of devices and the software on them alongside a rapid patch management process can make mitigating this attack, and others like it, as easy as possible. If that relationship isn’t there but you have tools/data/processes you believe could help, take this opportunity to get involved and help out. Showing how ITAM supports other teams and reduces risks across the business is a great way to increase executive focus and bolster ITAM’s credentials internally.
Another interesting element is the call for more work around creating Software Bill of Materials. They are a growing focus in the open source world and, in their statement regarding Log4J, the US Cybersecurity & Infrastructure Security Agency (CISA) said this scenario:
“underscores the urgency…more widespread use of Software Bill of Materials (SBOM), which [was] directed by President Biden in his Executive Order issued in May 2021. A SBOM would provide end users will the transparency they require to know if their products rely on vulnerable software libraries”
Helping your organisation to manage and mitigate this latest security threat can be a great chance to demonstrate the value that ITAM brings to all aspects of your organisation. Even once the immediate panic has passed, ensure you have a process for discovering and highlighting any unpatched instances that may appear on your network. Take this opportunity to help your peers, your business, and yourself.