You don’t need to be embedded in the tech world to have seen these apocalyptic headlines flooding your screens within the last few weeks. A major vulnerability to cybersecurity across the internet was revealed in the widely used, open-source Java-based data logging tool, log4j. The reveal of this latest fire alarm is being treated as a “Zero Day” attack, which is an attack that exploits a vulnerability that is either unknown to the affected parties or does not yet have a solution (patch) in place. The public first became aware of the threat after Minecraft, owned by Microsoft, released a statement that their Java edition of the game was at risk.
Director of Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly, spoke to CNBC News, saying this is “the most serious vulnerability that I’ve seen in my decades-long career. Everyone should assume that they are exposed and vulnerable and to check [that they are not vulnerable].” CISA has posted a checklist on their website that companies can follow and released a statement on Dec. 11, emphasizing that “…this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector.”
Why is this such a big deal?
If you’re not well versed in software development, you may think of it as a process involving individuals pecking away at their keyboards, writing code from scratch. In fact, most of the software development process involves taking code from other sources that is already written and packaging it together. For the most part, a good and efficient developer won’t waste time writing basic functions, including things like networking protocols, web calls, or logging, but will leverage these existing frameworks like log4j. A simplified analogy would be making Rice Krispies Treats – directions call for combining the ingredients to achieve the desired result – the Treats, but most folks aren’t making the Rice Krispies, butter, or marshmallows from scratch. You could, but the whole point of the treat is to combine things that can get you what you need quickly and move on to the next project.
Log4j is an ecosystem of these code packages for logging files. Developed by Apache, it is essentially designed to take data from an app and save it elsewhere. A feature added in 2013 is the origin of this vulnerability, though today it’s still unknown whether this was an accident or added with malintent by a bad actor. In short, the vulnerability allows for remote code execution, meaning an attacker can quickly and easily force a system to execute any code they choose. Because log4j is open source, it is widely used (and has been for years) as a common piece of coding that programmers can cut and paste. Consequently, it is embedded in so many products that, experts say, this breach will impact nearly every company, including Windows users, Linux users, and Apple iOS users. Apache has already released an update to address this security flaw, but this doesn’t address the fact that most software doesn’t use the current version, and some older software that uses Java might be discontinued by vendors and won’t be patched at all.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end-users know that their product contains this vulnerability and should prioritize software updates,” Easterly’s statement declared.
What this means is when business leaders think about purchasing software products, what they are actually getting is an assemblage of components that the vendor has stitched, or coded, together to do certain things. It’s very rare for a software company to have written every single line of code in their product that your business has purchased. From a CISO standpoint, you need to understand the security risks posed by a collection of software products that make up these packages. The average consumer and end-user are, unfortunately, “at the mercy” of companies updating their software. For businesses and, especially CISOs, this frightening new vulnerability highlights the importance of having a solid cybersecurity strategy and holistic view of their technical environment.
Many business leaders are currently asking, “what does this mean for us?” and the answer from many CISOs will be “we don’t know yet.” A risk quantification tool, like Axio360, can benchmark just how costly this threat could be, allowing the CISO to effectively communicate the business and financial implications the rest of the organization. The issue is not just a technical problem for the cybersecurity team to sort out. It will require an operational response at every level of the organization to understand how much such an incident could cost and how to justify mitigation strategies. In the case of the log4j bug, potential attackers could gain total control of affected devices and access to the data therein, putting critical infrastructure at risk in many instances. Security leaders must be ready to answer priority-driven questions from every part of their organization. And business leaders must understand how to prepare for the risks that 3rd parties could pose to their organization and their business impact.