On Dec. 9, the Apache Software Foundation issued a Log4j security alert that a vulnerability (CVE-2021-44228), aka Log4Shell, allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. On a scale of severity, the NIST has graded the Log4Shell vulnerability as 10/10 (critical).
Shortly after on January 4, the FTC issued a bulletin warning of immediate legal action if companies fail to protect consumers against the Log4j “or similar known vulnerabilities.”
The security loophole is believed to be so widespread that it is said to affect more than three billion devices that use Java. Industry leaders like Microsoft, Twitter, iCloud, Amazon, Google Cloud and others are all reportedly affected by Log4Shell.
For security teams around the world, combating Log4Shell can seem extremely overwhelming. Below are some guidelines and recommendations that can help you get started:
1). Fine-tune WAF (Web Application Firewall) Rules
WAF or Web Application Firewall, helps protect web applications by monitoring and filtering internet traffic. If one doesn't have a WAF in place, it’s probably time they did and if they already have one, it’s important that it be tuned properly so that it can block any such exploits. In all likelihood, the WAF provider is already updating new rules automatically so make sure you accept them. Blocking every potential malicious signature might be cumbersome and tedious, however; ensure you continue to iteratively monitor and fine-tune over the next few months to address all emerging exploit techniques. Ever since the announcement happened, opportunistic attackers have made more than a million attempts to exploit Log4Shell and will continue to do so in the coming months and years.
2). Execute a Detailed Audit of Every Application, System and Website
Start the new year with a comprehensive audit of every application, every system, every website that is internet-facing. This also includes carrying out an extensive review of cloud-based services. Prioritize your infrastructure – be extra cautious to applications, software code and databases that contain sensitive data like credentials, customer details, intellectual property, etc. Ensure all applications are running the most updated software patches as any loophole can be easily exploited by this vulnerability.
If possible, try and get your infrastructure reviewed and pen-tested by an external third-party as this will provide an independent and unbiased opinion on your current security posture. Remember that software patching can only prevent future attempts to exploit this vulnerability; if attackers have already leveraged it prior to patching, they are already lurking around your network waiting for the right opportunity to strike.
This is another reason why an immediate and comprehensive audit is needed.
3). Review and Assess Vendor and Third-party Risks
In response to the vulnerability, software vendors around the globe have been announcing patches and fixes that plug this security loophole. It’s important that organizations pay particular attention to these updates and apply fixes in a timely manner.
It’s important to catalog and compare vendors that have issued a patch versus those that have not. In case a vendor hasn’t issued one, it’s probably a good idea to contact them and confirm whether they have been impacted or not. In addition to software vendors, remember to contact your key suppliers, business partners and affiliates to ensure they have conducted appropriate due diligence in safeguarding their own infrastructure and supply chains from Log4Shell.
4). Validate and Protect Users
One of the first things security teams must do is to raise the awareness of the security issues surrounding Log4j. Ensure employees (especially remote users) are alert and raise a red flag when something is amiss or not performing right. Implement the Principle of Least Privilege by granting minimum or restricted access to users as this can significantly minimize risk and lower the possibility of lateral movement. In addition to this, enabling multi-factor authentication (via a second device) can go a long way in preventing attackers from leveraging compromised credentials.
5). Remain Vigilant
Experts believe the worst is yet to come and it may take months or even years for a full cleanup of the Log4Shell. The Log4j application is so ubiquitous that attackers are likely to exploit it for the foreseeable future. Not to forget, patches aren’t always fully watertight. For example, Apache researchers discovered that their first patch was “incomplete” and had to release a second patch. It’s important that businesses remain vigilant for such updates and be on guard for any changes in their threat landscape.
It’s no surprise that the aftershocks of the Log4Shell quake will continue in the new year but eventually we’ll get through it. However, it would be ill-advised if we don’t start gearing up for the next security catastrophe today.
About the Author:
Michelle Drolet is CEO of Towerwall, a highly specialized cybersecurity, cloud and virtual CISO services firm with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, Mass., Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at [email protected]. Telephone 774-204-0700.