The speed with which the Department of Homeland Security rolled out a big fix for the bug—six days after it was uncovered—basically couldn’t have happened a mere several years ago, as The Washington Post reports. The Cybersecurity and Infrastructure Security Agency now has more power and visibility than the DHS’s cybersecurity regulators did during the Shellshock and Heartbleed vulnerabilities of 2014.
Private employers also had a faster response to Log4j, also known as Log4Shell, compared with prior crises. Jake Williams, a former National Security Agency cyber operator and founder of the firm Rendition Infosec, told The Post, “We’re used to doing fire drills at this point.”
Still, cybersecurity pros say the Log4j lapse, like the SolarWinds breach roughly a year earlier, signals that organizations must do more to understand the code that their enterprise software depends on, as Dark Reading reports. With so much of today’s software made up of open-source and third-party code, underlying vulnerabilities can have a far-reaching impact.
Security exports call for a broader implementation of software bills of material, or SBoMs, a way of inventorying the components in enterprise software and identifying dependencies. Nicholas Sciberras, head of engineering at Invicti’s Acunetix, told Dark Reading, “SBoMs are a foundational element of cyber resilience.”
The Log4j vulnerability has already been exploited in cyberattacks against a variety of targets, including Belgium’s defense ministry, an unnamed academic institution (according to CrowdStrike) and a Vietnamese cryptocurrency platform.
Apache has released multiple patches for the Log4j software. Security pros say that version 2.17.1 of Log4j, released on December 28, probably isn’t an urgent update for organizations that patched to version 2.17.0 of Log4j, released December 17, as VentureBeat reports.