Action plans for Log4j or Log4shell
In early December, reports began to circulate about the vulnerability in Apache’s Log4j 2, the second version of a popular Java logging framework. As it turns out, the vulnerability, known as “Log4Shell” or “Log4j/Shell” is one of the most serious cyber threats in recent history. Think wannacry, heartbleed or the exploit that led to the 2017 Equifax data breach. Mitre’s common vulnerabilities and exploits (CVE-2021-44228) alert on Log4Shell gave the threat a score of 10, the highest rating possible. Why is Log4j such a serious concern? And more importantly, what can you do about it? Here is Masergy’s advice.
What is Log4j/shell?
Log4j is a piece of free and open-source software, specifically a Java library that logs error messages in applications. The fact that it is free for anyone to use is a big part of why this vulnerability is such a big problem – the software is essentially everywhere. Since 2013, Log4j has been installed in almost every type of device on planet earth – servers, software applications, and computing devices including phones. It’s built into frameworks such as Apache Struts2, Solr, Druid, Flink and Swift. Unpatched, Log4j/Shell represents a powerful “Zero Day” exploit.
Billions of devices and pieces of software are now at risk.
Why is Log4j/shell generating so much attention?
Log4j/Shell has generated massive engagement and activity among cybersecurity professionals and a sprint to remediate the vulnerability. What’s the big deal? Several factors account for the extreme nature of the reaction:
- Ubiquity: One is the incredible ubiquity of the software itself. As mentioned, it’s everywhere and in almost every device used by corporations, governments and consumers.
- Simplicity: Another issue is the apparent simplicity of the flaw. It seems that almost anyone could potentially gain access to a vulnerable device merely by sending a 12-character code or renaming their device with that code. Indeed, the flaw first emerged in the Minecraft game, where it became evident that players could use the exploit to run arbitrary code on pretty much any of hundreds of millions of servers and devices around the world.
- Weaponization: The third major area of concern relates to how Log4j/Shell may be weaponized by malicious actors. It could be used to take over machines for cryptocurrency mining. Or, it could comprise the basis for distributed denial of service (DDoS) attacks. It’s a powerful tool at the hands of cybercriminals.
What should you or your company do about Log4j/Shell?
What should you do about this? The short answer is start patching! Patch everything with a sense of urgency.
However, for patching to be meaningful, organizations will first need to inventory devices that have Log4j installed. The Log4Shell vulnerability scanner from Huntress is one tool that can perform this task. This should include both internal- and external-facing devices. Some of the official guidance that’s come down on mitigating Log4j/Shell has focused on external-facing devices. This is not enough, because internal devices can also receive log data from untrusted sources.
This will be a massive undertaking, and in for many, it will be difficult to complete. With literally billions of servers, IoT devices, endpoint devices, and endless instances to deal with, it is almost a certainty that some systems will remain vulnerable to this threat.
It’s safe to say, we’ll be living with Log4j/Shell for years. As a result, it makes sense to do whatever you can to harden systems that contain sensitive data to protect them from Log4j/Shell exploits.
Key Takeaway and Lesson Learned: This threat episode reveals the risks inherent in using open-source code in application development without paying adequate attention to security. Longer-term, a good practice will be to maintain a repository of libraries that are known to be secure as part of a secure DevOps process.
Do SASE and Zero Trust help with Log4j?
A quick disclaimer: Masergy never claims or even implies that our company, advice, products and services will completely prevent vulnerabilities or exploits such as Log4Shell. No managed security service, including SASE and Zero Trust, can 100% prevent zero-day (no notice) cybersecurity threats. However, choosing a trusted security services provider, like Masergy, as your partner empowers companies to monitor their IT environment for threats and respond with more efficiency, agility, and speed to changing circumstances in the global cybersecurity space.
The Secure Access Service Edge (SASE) model of security has a great deal of applicability to strengthening defenses against Log4j/Shell. SASE has multiple security components, but for Log4j/Shell, the most important element is Zero Trust (ZT). With ZT and Zero Trust Network Access, access to any digital asset, be it a network or an application, is denied by default. No one is trusted until properly verified.
ZT is a good countermeasure against Log4j/Shell because Log4J runs without pure trust. An unauthenticated person can send the fatal Log4j/Shell input string. With ZT, that unauthenticated user will be automatically blocked from being able to access a network, device or application. With the software-defined wide area network (SD-WAN) part of SASE factored in, the ZT mitigation of Log4j/Shell is now spanning an organization’s entire network.
Conclusion: The race is on to mitigate
Log4j/Shell represents a major cybersecurity event. It poses a threat to billions of digital devices worldwide. The exploit could have a significant impact on corporate operations and governments. The race is on to mitigate the risk. It will not be an easy process. New models, such as SASE, can help in this effort, as well in preventing further events of this kind in the future.
If you need help handling security at this critical time or would like a copy of Masergy’s security bulletin with more detailed information and guidance on Log4j, contact us.
Interested in how Managed Security can improve your business?
Call us now to arrange a consultation (866) 588-5885.
Or arrange for a consultation through our request form.
Three Considerations for Creating a Future-Ready Enterprise
Learn about what business leaders should do to create a technology-forward, future-ready enterprise.
Securing the Network Edge: Endpoint detection and response can reduce serious incidents by 50%
What is EDR and how is different from XDR? Masergy explains that and more.
Understanding ZTNA Relationship to Zero Trust and SASE
Zero Trust Network Access gets mixed up with Zero Trust and SASE. Understand the differences and how it strengthens security.
Cybersecurity Blind Spots: Why You’re Unaware of Risks Hiding in Your Own IT Environment
Companies today have more security weaknesses. Explore three common blindspots and how to turn on the light switch.
Delivering On The Digital-First Promise: How To Meet Heightened Demand With Less Risk
The best digital strategies foster an IT ecosystem where checks and balances allow emerging technologies to synthesize with security and the network.
Why EDR is an essential requirement for cyber insurance
A company applying for a cyber insurance policy must demonstrate that it has effective cybersecurity policies and countermeasures in place.
Cloud Security Best Practices: Advice from Forrester
Security for cloud migration is the new imperative. Forrester’s best practices report includes these four key guidelines.
Rebalancing security and business innovation post-pandemic
The accelerated transformation has spurred new governance phases. Rebalance innovation and security by putting these checks and balances in place.
The Transformation Trifecta at the Heart of the Hybrid Work Revolution
How sustainable is your hybrid work strategy? It's time to unite the disciplines of connectivity, cybersecurity and collaboration.
Masergy Wins “Editor’s Choice MSSP of the Year” Global InfoSec Award During RSA Conference 2022
As a leading managed security services provider, Masergy earns one of Cyber Defense Magazine’s most prestigious awards. Here’s why.
The Comcast Business Story – An Overview
Comcast Business and Masergy have joined forces - We are your one provider for all your secure networking needs.
SEVEN leaders from Comcast Business and Masergy recognized on CRN’s 2022 Women of the Channel List!
Masergy Awarded 2022 TMCnet Remote Work Pioneer Award
Masergy succeeds in making remote work actually work well for IT teams in the long run.
Masergy: “multi-cloud environments make it difficult to control what’s happening in borderless networks”
Masergy's Trevor Parks talks to Cybernews about security threats in modern multi-cloud environments.
MSS, MDR, SOCaaS: The differences in security services and how to choose
The catalogue of security services abbreviations keeps getting longer. Here are some quick definitions and tips to help compare offerings.
Meeting the moment for hybrid work cybersecurity
A growing number of cyberattacks and the explosion of hybrid work have pushed security resources to the brink, exposing the need for more managed services backed by machine learning.
Your security service provider needs an upgrade: RFP questions to find a true partner
How do you ensure you’re getting the right combination of security expertise and operational excellence all in one provider? These questions can help.