Cybersecurity Review Board Makes Recommendations on Security Hygiene and Software Ecosystem in Log4j Review

The Log4j vulnerability had “somewhat surprisingly” less than feared impacts, but exposed organizational challenges in responding to cyber threats, including resources, confusion and even “remediation fatigue”, according to the first report from the Cyber ​​Safety Review Board.

The Cybersecurity Review Board was created in February by President Biden’s Executive Order of May 2021 Improving the nation’s cybersecurity. The panel is led by DHS Under Secretary of Policy Rob Silvers and co-chaired by Google’s Vice President of Security Engineering Heather Adkins. The 15-member board is a mix of public and private sector representatives.

“To advance the overall security and resilience of our digital ecosystem, we applaud the application of this highly effective model of lessons learned from other industries,” Silvers and Adkins wrote in a post at the start of the report. “With the discovery of major software vulnerabilities and gaps in our abilities to effectively mitigate them, we believe this effort will help improve our overall cyber resilience.”

The board undertook its first review with the open-source Log4j software vulnerability that was disclosed in December 2021. “to log security and performance information,” CISA said in its guidance. “An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.” In January, CISA officials said there had not yet been any major US intrusions related to the flaw, with CISA Director Jen Easterly warning that “we expect that Log4j be used in intrusions in the future”.

Silvers and Adkins said the review of the Log4j event “presented the Board with several challenges,” including “no accident sites or damaged vehicles to inspect, no stress tests to perform on failed equipment, and no schematics of wiring to be examined”.

“Instead, we looked at the practices used to create and adopt the technology, ecosystems and processes. We relied on subject matter experts in open source software, its development, deployment and maintenance,” they said. “During our discussions, we’ve observed the enthusiasm to tackle these issues, as well as the community’s desire to have a more complete picture of where vulnerabilities are located, which ones are exploitable, and how effective corrective action.”

The co-chairs emphasized that the Log4j event is not over. “Log4j remains deeply embedded in systems, and even in the short time available for our review, community stakeholders have identified new trade-offs, new threat actors, and new learnings,” they wrote. “We should remain vigilant to the risks associated with this vulnerability, and apply the best practices described in this review.”

Silvers and Adkins also pointed to “a real need to drive the development and wide adoption of automated capabilities, tools, and frameworks that help developers in the daunting task of building secure software.”

“Just as the software industry has enabled the democratization of software programming – the ability for anyone to build software with little or no formal training – we must also democratize security by building security by default into platforms. used to build, build, deploy and manage software at scale,” they said.

The pair noted that industry has been particularly helpful in supporting the review with information and data, adding that they “believe industry has come to understand that the Council is not an enforcement body. or regulation and does not focus on assigning blame”.

After the first report of the Log4j vulnerability, network defenders “faced a particularly difficult situation; the vulnerability impacted virtually every networked organization and the severity of the threat necessitated prompt action,” the report states.

“The fact that there is no complete ‘client list’ for Log4j, or even a list of where it is integrated as a subsystem, has hampered the defender’s progress. Companies and vendors rushed to find out where they were using Log4j,” he continued. “The pace, pressure, and publicity compounded the defensive challenges: Security researchers quickly uncovered additional vulnerabilities in Log4j, contributing to confusion and “patch fatigue”; defenders struggled to distinguish analysis of vulnerabilities by bona fide researchers from threat actors; and responders struggled to find sources of information authoritative on how to solve problems. This has resulted in one of the most intensive cybersecurity community responses in history.

The review panel noted that the response included “high levels of cooperation, extensive use of social media for rapid sharing of mitigation advice, innovative response actions from the Cybersecurity Agency and Department of Homeland Security (DHS) Infrastructure Security (CISA), and the creation of new shared community resources. Organizations that responded most effectively “understood their use of Log4j and had technical resources and mature processes in place to manage assets, assess risk, and mobilize their organization and key partners to action.” However, executing a response with the necessary speed has proven to be a challenge for most organizations, because when the Apache Software Foundation made available upgrades for Log4j, “deploying them was itself a decision. at risk, requiring a trade-off between possible operational disruption and timeliness, comprehensiveness, and compensating controls.

A federal cabinet department said it spent 33,000 hours defending against the Log4j vulnerability. The board noted that “these costs, often incurred for several weeks and months, have delayed other critical work, including responding to other vulnerabilities.”

“Over the long term, we will continue to see the tension between our collective need for crisis-focused risk management and fundamental investments that would support faster response to future incidents,” the report said. “Perhaps most importantly, the strain on the urgent response and the challenges of risk management have also contributed to a professional ‘burnout’ among defenders that can, compounded by the typically intense pace of many cybersecurity jobs , have a long-term impact on the availability of cybersecurity talent.

The review found that “somewhat surprisingly” to date “Log4j exploitation has occurred at lower levels than many experts predicted, given the severity of the vulnerability.”

“It was difficult to come to this conclusion,” the report adds. “While cybersecurity vendors may have provided anecdotal evidence of exploitation, no authoritative source exists to understand exploitation trends across geographies, industries, or ecosystems. Many organizations do not even collect information about specific Log4j exploitation, and reporting is still largely voluntary.

“Most importantly, however, the Log4j event is not over. The Council believes that Log4j is an “endemic vulnerability” and that vulnerable instances of Log4j will remain in systems for many years to come, possibly a decade or more. A significant risk remains.

Log4j “also drew attention to the security risks unique to the resource-constrained, volunteer-based open source community,” the report states, and “it is critical that public and private sector stakeholders build resources centralized and security support structures that can support open source”. source community in the future.

The council’s first group of recommendations is to address persistent Log4j risks: organizations “should be prepared to address Log4j vulnerabilities for years to come” and “should continue to report (and escalate) observations of ‘Log4j operation’.

“CISA should expand its ability to develop, coordinate and publish authoritative information on cyber risks,” the report continues. “Federal and state regulators should lead the implementation of the CISA guidelines through their own regulatory authorities.”

To drive existing security hygiene best practices, the report recommends that organizations “invest in capabilities to identify vulnerable systems”, “develop the ability to maintain an accurate inventory of information technology (IT)”, have “a documented vulnerability response program”. and “a documented process for disclosing and addressing vulnerabilities”, and “software developers and maintainers should implement secure software practices”.

Recommendations focused on creating a better software ecosystem state that “open source software developers should participate in community security initiatives”, while organizations should “invest in training software developers to develop secure software” , “improve software bill of materials (SBOM) tooling and adoptability”, “increase investments in open source software security”, and “drive open source software maintenance support for critical services”.

The Cyber ​​Safety Review Board’s latest set of recommendations focus on future investments, recommending that organizations “explore a baseline requirement for software transparency for federal government vendors,” “review the effectiveness of a Cybersecurity Reporting System (CSRS)”, “explore the possibility of establishing a Software Security Risk Assessment Center of Excellence (SSRACE)”, “investigate the incentive structures needed to create secure software” and “establish a government-coordinated task force to improve the identification of software with known vulnerabilities”.

“The long-term impact on organizations will be difficult to assess without better tools for discerning actual exploitation and centralized reporting of successful compromises,” the report said.

About Jean R. Manzer

Check Also

Book recommendations by Paulina Porizkova

Welcome to Lifetime, The books section of, in which the authors share their most …