Why Experts are Calling Log4j the Worst Security Flaw of the Decade and Why You Should Care
January 18, 2022
The Log4j vulnerability sent shockwaves throughout the entire cybercommunity when it was discovered in December 2021. Since then, organizations have been scrambling to uncover what systems use Log4j, if they’re affected, and how to patch them before a breach occurs. Security researchers and IT teams around the world are racing to deploy solutions and map out the long-term implications of the situation.
But what exactly is Log4j? What’s vulnerable? Why are experts calling it the worst security flaw of the decade? And why should you be worried about it? Keep reading to learn more about the Log4j crisis—what it is, what the future holds, and most importantly, how you can protect yourself.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
Log4j is a programming code written in Java computer language that was developed by volunteers within the Apache Software Foundation (CBS). It is a key software building block that allows developers to keep track of what happens in online applications and services. How? It creates a record of all system activity, which developers can then use to troubleshoot server issues, find and fix bugs, and track data within programs; this function is known as logging. A common example of Log4j is when you click on a link and get a 404 Error message.
Log4j is an open-source code, which means it’s freely available for use. And since logging is critical for maintaining any kind of web app, Log4j is embedded in all corners of the Internet. It’s broadly used by millions of online services worldwide, both for programs developed in-house and outsourced elsewhere, such as messaging, email, video games, cloud platforms, and more. In fact, Log4j is even run across major platforms like Apple’s macOS, Windows, Linux, Amazon, Twitter, LinkedIn, IBM, Webex, CISCO, and Minecraft, among others.
In December 2021, security researchers discovered vulnerabilities in the Log4j software, which, if exploited, could allow threat actors to remotely infiltrate networks, take over systems, and steal confidential passwords, files, and other data. Once they’re in, hackers could even install malware and other backdoors to launch attacks and ransomware infections down the line.
Even worse? The vulnerabilities in question are easy to exploit—attackers don’t even need a login or passwords to gain full server control. And because logging software is typically hidden under other layers of code, it’s hard to identify which systems even use Log4j to begin with, especially since most developers don’t keep a record of all the software used when designing a particular application.
Why is it so bad?
The cyber community has been on high alert since the announcement. All Java-based software and servers, whether Internet-facing or internal, are at risk. Google estimates that over 35,000 Java packages could be impacted.
By the time the initial flaws were reported, it was already being actively targeted by hackers. This is known as a zero-day vulnerability; developers effectively had zero days to come up with a fix before the gap may have been exploited. According to cybersecurity firm Checkpoint, over 4,300,000 hacking attempts had been made within days of discovery.
To learn more about the Log4j vulnerability, please consult the following resources:
- Canadian Centre for Cyber Security (CCCS): Active exploitation of Apache Log4j vulnerability
- Apache Log4j 2: Apache Log4j Security Vulnerabilities
- Cybersecurity Infrastructure and Security Agency (CISA): Apache Log4j Vulnerability Guidance
What does the future hold?
Recovery is in process. Apache has issued fixes and other affected companies are working on similar solutions. But while patches are easy to implement, it’ll take months, or even years, to fully wipe up this mess—especially if hackers already got into your system and installed malware before you patched it. Even if you’ve made repairs, your organization could still be hit with a crippling ransomware attack years down the line.
So far, exploitation attempts have been “automated and exploratory,” but it’s just a matter of time before they become increasingly sophisticated. Without proper safeguards, businesses risk losing permanent access to mission-critical data, as well as incurring severe financial loss, regulatory penalties, legal action, and long lasting reputational harm.
Cybersecurity experts are particularly concerned that hackers will capitalize on this opportunity to prey on smaller, resource-poor SMBs, schools, and hospitals, much like they have throughout the entirety of the pandemic. Alternatively, the Log4j crisis could serve as just the kind of distraction more malicious threat actors need to move in on high-value targets, like government agencies, critical infrastructure, and banks.
RELATED: Ransomware: Should You Pay Up?
What can you do about it?
1. Patch all affected systems immediately.
According to US Cybersecurity Infrastructure and Security Agency (CISA), all organizations are encouraged to take the following steps to protect against compromise:
Work with your developers to assess your exposure. Figure out what services use Log4j, both in-house and outsourced. It may not be clear right away which systems use Log4j, so be sure to scan all servers, apps, assets, and more in your environment, with high attention to those that are Internet-facing. Monitor vendor notifications regarding known vulnerable platforms.
Apply security patches to all suspected vulnerable systems and update all instances of Log4j to the latest version. Where a patch cannot be applied, seek vendor guidance on appropriate mitigations. Remain alert to all vendor software updates going forward and install them as they become available. If your organization is a developer of affected software, communicate with your clients so they know to make updates.
Monitor your network for evidence of exploitation and signs of malicious activity. Review system logs and look for odd traffic patterns to hosts outside the local network. Initiate incident response measures as needed. If compromise is detected, report any instances to the Canadian Centre for Cyber Security (CCCS) and notify affected parties.
Be vigilant. This situation is constantly evolving and remediation practices may change. Even if your scans come up clear, keep reassessing your environment as new information becomes available. Pay attention to vendor alerts and maintain a regular patch process.
For more technical security recommendations, please consult the following resources:
- CISE Security: Log4j Zero-Day Vulnerability Response
- Cybersecurity Infrastructure and Security Agency (CISA): Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2. Improve your overall security hygiene.
The Log4j crisis is ultimately a risk management wake up call for businesses to improve their overall security posture and take a more proactive and disciplined approach to cyber threats. To ensure maximum protection and mitigate the risk of a Log4j-related breach, all organizations should work towards a long-term strategy that focuses on:
Add extra layers of protection to all networks and devices, such as firewalls, antivirus software, and multi-factor authentication (MFA). Encrypt all data at-rest and in-transit and routinely backup your information. Keep systems up-to-date with the latest security patches. Develop tailored incident response and business continuity plans in case of a breach. For a detailed list of cybersecurity measures, click here.
Provide specific security awareness training to all employees on: how to handle sensitive data and use software, what threats your organization faces and how to identify them, and how to spot signs of a breach. Keep employees updated about risks as they crop up and where they can report security incidents.
An added benefit? In addition to boosting your overall security posture, implementing baseline cyber controls, like MFA, encryption, backup protocols, and security awareness training, will ensure that your organization meets minimum requirements to qualify for Cyber Insurance.
3. Reach out to your broker.
A licensed broker like PROLINK can help you plan and protect. With nearly 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking towards the Log4j vulnerability and help you become resilient in the face of attack.
Our dedicated team of risk advisors will help you:
- Identify exposures based on your business operations and unique needs;
- Adopt a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.