IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How to protect against 'endemic' Log4j vulnerabilities

A US government report details a series of recommendations to help counter the Log4Shell flaw in the long term

The US Department of Homeland Security has released the Cyber Safety Review Board’s (CSRB) report into Log4j vulnerabilities, which details actionable recommendations for government and industry.

The CSRB is a new public-private initiative within CISA that aims to bring together government and industry leaders to review and assess significant cyber security events and threats.

The board’s first report addresses the “continued risk” posed by the Log4Shell vulnerability in the widely used Log4j open-source software library, discovered in late 2021. It is one of the most prominent cyber security threats of recent years.

Described as “one of the most serious vulnerabilities discovered in recent years”, the CSRB’s recommendations focus on driving better security in software products, as well as enhancing organizations’ response abilities.

“The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security,” commented Secretary of Homeland Security Alejandro Mayorkas, who delivered the report to President Biden.

Grabbling with the Log4Shell vulnerability

First disclosed on 9 December 2021, Log4Shell is a zero-day remote code execution vulnerability in Java logger Log4j, which was awarded a 10/10 criticality rating by CISA.

In a nutshell, the flaw enables attackers to submit a specially crafted request to a vulnerable system, causing it to execute arbitrary code. As a result, the attackers can take full control of the affected system from a remote location.

The vulnerability was found to have been exploited by coin miners, remote access trojans (RATs), botnets, ransomware, and advanced persistent threats (APTs)

According to CISA, cyber threat actors have continued to exploit the vulnerability in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.

Log4Shell: Recommendations and best practice

The CSRB engaged with nearly 80 organizations and key individuals to gather insights into the Log4j event and develop actionable recommendations for future incidents.

The 19 recommendations outlined in the report have been split into four categories; the first focuses on addressing the continued risks and states that both organizations and government bodies should be prepared to apply vigilance to Log4j vulnerabilities “for the long term”.

Related Resource

An analysis of the European cyber threat landscape

Human risk review 2022

Whitepaper cover with title and three colleagues sat at a table laughing togetherFree Download

The second outlines recommendations for driving best practices for security hygiene, advising adoption of industry-accepted best practices and standards for vulnerability management. That includes investment in security capabilities and development of response programs and practices.

The third category advises organizations on building a better software ecosystem to move to a proactive model of vulnerability management, including increasing investments in open source software security, as well as training software developers in secure software development.

Lastly, the fourth group notes that investing in new systems and groups for the future will be essential in securing the US’ infrastructure and digital resilience in the long term.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” said Robert Silvers, CSRB Chair and DHS Under Secretary for Policy.

“Our review of Log4j produced recommendations that we are confident can drive change and improve cyber security.”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

FedEx to invest in more robotic automation from Berkshire Grey
Business strategy

FedEx to invest in more robotic automation from Berkshire Grey

4 Aug 2022
Romanian man extradited to US over Gozi virus hacking charges
malware

Romanian man extradited to US over Gozi virus hacking charges

20 Jul 2022
Ericsson gets green light for $6.2 billion Vonage buyout
mergers and acquisitions

Ericsson gets green light for $6.2 billion Vonage buyout

15 Jul 2022
Microsoft bifurcates channel chief role following partner backlash
channel

Microsoft bifurcates channel chief role following partner backlash

15 Jul 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022