Estimated reading time: 1 minute, 42 seconds

Entering 2022, Log4j Bug Shows How Security Has and Hasn’t Improved  

Another new year, another widespread cybersecurity meltdown. The vulnerability in the Java-based software known as Apache Log4j, which security officials began warning in mid-December was one of the worst threats they’d seen yet, illustrates both the enhanced strengths and lingering weaknesses of U.S. cybersecurity defenses, according to various reports.

cyber security 3400555 640The speed with which the Department of Homeland Security rolled out a big fix for the bug—six days after it was uncovered—basically couldn’t have happened a mere several years ago, as The Washington Post reports. The Cybersecurity and Infrastructure Security Agency now has more power and visibility than the DHS’s cybersecurity regulators did during the Shellshock and Heartbleed vulnerabilities of 2014.

Private employers also had a faster response to Log4j, also known as Log4Shell, compared with prior crises. Jake Williams, a former National Security Agency cyber operator and founder of the firm Rendition Infosec, told The Post, “We’re used to doing fire drills at this point.”

Still, cybersecurity pros say the Log4j lapse, like the SolarWinds breach roughly a year earlier, signals that organizations must do more to understand the code that their enterprise software depends on, as Dark Reading reports. With so much of today’s software made up of open-source and third-party code, underlying vulnerabilities can have a far-reaching impact.

Security exports call for a broader implementation of software bills of material, or SBoMs, a way of inventorying the components in enterprise software and identifying dependencies. Nicholas Sciberras, head of engineering at Invicti’s Acunetix, told Dark Reading, “SBoMs are a foundational element of cyber resilience.”

The Log4j vulnerability has already been exploited in cyberattacks against a variety of targets, including Belgium’s defense ministry, an unnamed academic institution (according to CrowdStrike) and a Vietnamese cryptocurrency platform.

Apache has released multiple patches for the Log4j software. Security pros say that version 2.17.1 of Log4j, released on December 28, probably isn’t an urgent update for organizations that patched to version 2.17.0 of Log4j, released December 17, as VentureBeat reports.

Read 2309 times
Rate this item
(0 votes)

Visit other PMG Sites: