Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw.
The ‘Log4Shell’ vulnerability in open source library Log4j has reached “endemic” proportions and the aftershock could reverberate for “a decade or longer”, according to a landmark US government report.
The inaugural report by the Cyber Safety Review Board (CSRB) provided 19 recommendations for how organizations and government agencies can bolster their networks and applications against the threat.
The CSRB was established in February 2022 by the Department of Homeland Security (DHS) as mandated by a cybersecurity-focused Executive Order that was signed by President Biden a year earlier.
The public-private initiative is tasked with reviewing serious cybersecurity events and delivering strategic recommendations to government, industry, and the information security community.
The Log4Shell vulnerability, which surfaced in December 2021, offers a potent combination of super-criticality – notching a maximum CVSS severity score of 10 – and enormous attack surface given Log4j’s near-ubiquity in providing Java-based logging to myriad applications.
Secretary of homeland security Alejandro Mayorkas said the CSRB was a “transformational institution that will advance our cyber resilience in unprecedented ways”, and its report will help “strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security”.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said the report was unusual in providing “a comprehensive review of the impact and root causes of a cyber incident so quickly”.
The CSRB report (PDF), published on July 14, said “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”
The Apache Software Foundation, which maintains Log4j, was praised for its “well-established software development lifecycle” and “for recognizing the criticality of the problem” in quickly issuing patches.
The report also hailed the rapid production of effective guidance, tools, and threat information by vendors and governments.
Further down the supply chain, however, “organizations still struggled to respond to the event, and the hard work of upgrading vulnerable software is far from complete across many organizations”.
Moreover, the event highlighted “security risks unique to the thinly-resourced, volunteer-based open source community”, which the CSRB said needed more support from both public and private sector stakeholders.
‘Hard to believe’
The report said the CSRB was “not aware of any significant Log4j-based attacks on critical infrastructure systems”, and that hostile exploitation seemed to have “occurred at lower levels than many experts predicted”.
However, Matt Chiodi, chief trust officer at security vendor Cerby, found these claims “very hard to believe”, noting that – as the CSRB itself acknowledged – organizations are not obliged to report exploitation of serious vulnerabilities.
Chiodi also said the recommendations, which among other things cover mitigating ongoing Log4j risks and migrating to a proactive vulnerability management model, “are too opaque for companies to implement in their current form”.
He advised organizations to get “deadly serious about knowing your assets and moving toward a zero-trust architecture”, noting that “most organizations have terrible asset management practices”, particularly in relation to “homegrown applications in the cloud”.
Mackey, meanwhile, cautioned against “reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software – even if support for that software has ended.”
With this in mind, “software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities”.
Nigeria Spends N18.3bn Daily On Fuel Subsidy – Finance Minister
Ortom Bans Mining Activities In Benue
Adamu Reveal Why Jonathan’s Almajiri School Programme Failed
eNaira Has Recorded 840,000 Downloads, N4bn Transactions – CBN Governor
I Started Singing To Get Girls – Patoranking
TCN: We’ve implemented new technology to enhance the performance of the national grid
546 kilometers of roads have been built in Edo over the past six years, while 886 kilometers have been planned – Government
Court sentences a man to 37 years of imprisonment for fingering a minor
Segun Showunmi, Ogun PDP: “I will fight this struggle to the end”
Plateau PDP nominates former APC chairman as governorship campaign DG
Officials from Manchester United are in negotiations to sign Joao Felix from Atletico Madrid
Manchester United is teased by Atletico Madrid on their transfer request for Joao Felix
Son Heung-min may have been the target of racial remarks when Tottenham and Chelsea drew at the weekend
Sir Jim Ratcliffe, the richest man in Great Britain, expresses interest in purchasing Manchester United
2023 Budget: Nigerian govt slams N8.52trn for staff salaries, others, Presidency gets N14.2bn
U20WWC: France joins the Falconets from Group C, breaking South Korea’s heart.
Apple To Launch iPhone 14 On September [See Date]
At London’s Soultown Festival, lead performers included Gabrielle, Soul 2 Soul, and Heather Small
British billionaire, Jim Ratcliffe to buy Man United
U-20 WWC: Super Falconets flogs Canada, to meet Netherlands in quarter-finals
National Blackout: Electricity Workers Call Off Strike
Why I visited Femi Kuti – Peter Obi
Reps To Investigate Agric Ministry Over N18.6bn Spent To Clear Bush, Prepare Land
What fans should expect from sequel – “Squid Game” creator
Buju has questions to answer, a police spokesman claims, after he boasted of spitting on an officer
Buju BNXN engages in a near-free-for-all brawl with police officers
Your daily horoscope for Thursday, August 18, 2022
A robot designed by a snake-loving engineer to restore the reptile’s legs
WhatsApp is working on a feature that would allow you to retrieve deleted messages
Chaos as students drown while having fun on the Lagos beach
Ngige convenes an emergency meeting with electricity employees during a blackout.
How Magu botched high-profile corruption cases while pursuing “Yahoo Boys”
Snapchat’s Paid Users Hit 1 Million
Nigeria Police Officer Rewarded For Rejecting $200,000 Bribe
Police Caution Ronaldo Over Fan Phone Incident
Peter Obi no threat to APC in Imo – Hope Uzodinma
Peter Obi Visit Femi Kuti After Threats From Obidients [VIDEO]
Blackout Looms In Nigeria As Electricity Workers Begin Strike
APC Fires Bauchi Youth Vanguard
Closed door meeting between Bola Tinubu and Olusegun Obasanjo
Barcelona Finally Register New Signing To La Liga, Lewandowski, Raphinha, Christensen and Kessie
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Complete Episodes)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Final Episode 14)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 12)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 11)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 10)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 02)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 01)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 06)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 08)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 13)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 03)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 05)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 07)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 09)
[STORY] MY HOUSEMAID IS A MARINE SPIRIT (Episode 04)
[STORY] MY LANDLADY (Episode 01)
[STORY] DELILAH’S CURVE (Complete Episodes)
[STORY] MY LANDLADY (Complete Episodes)
James Milner Reveals What Darwin Nunez Did To Liverpool’s Attack
[STORY] SADE’S HEART TALE (Episode 22)
[STORY] SADE’S HEART TALE (Episode 21)
[STORY] MY LANDLADY (Episode 06)
[STORY] MY LANDLADY (Episode 17)
NLC demands 50% increase in workers’ salaries
Your weekly tarot horoscope for August 14 to August 20 and Mars entering Gemini
[STORY] MY LANDLADY (Episode 04)
[STORY] MY LANDLADY (Episode 07)
2023 Elections: Presidential Candidates To Pay ₦10 Million For Campaign Posters In Anambra
[STORY] DELILAH’S CURVE (Episode 04)
[STORY] MY LANDLADY (Final Episode 20)
[STORY] MY LANDLADY (Episode 03)
[STORY] DELILAH’S CURVE (Episode 01)
Browser-powered desync: Black Hat USA presents a new class of HTTP request smuggling attacks
[STORY] MY LANDLADY (Episode 09)
[STORY] MY LANDLADY (Episode 11)
Images and videos from Mercy Chinwo’s wedding ceremony
[STORY] MY LANDLADY (Episode 15)
[STORY] MY LANDLADY (Episode 18)
[STORY] MY LANDLADY (Episode 08)
ANE's Billboard Hots
Technology2 months ago
VoIP Number: Everything You Need To Know
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music2 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music6 years ago
[Music] Ed Sheeran – Perfect
Movie Subtitle2 months ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
ANE Stories2 months ago
The Story Of My Life (Complete Episode 1 – 47)
Music2 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you