The FTC Wants Companies to Find Log4j Fast
This won't be easy
On. Dec. 9, when the Apache Software Foundation disclosed a massive vulnerability in Log4j, its Java logging library, it triggered a cat-and-mouse game as IT professionals raced to secure their systems against cybercriminals looking to exploit a huge, now-known, issue. Among them were clients of George Glass, head of threat intelligence at governance and risk company Kroll. “Certain companies we spoke to knew there were applications that were impacted,” he says. The problem? They didn’t have access to them. “Maybe it’s a SaaS platform or it’s hosted somewhere else,” he says. They weren’t able to patch the Log4j binary itself, and instead faced a tricky decision: Turn off that specific application and stop using it, potentially refiguring their entire IT infrastructure, or take the risk that the third-party fix would come quicker than the state-sponsored and private hackers trying to take advantage.
At the same time as cybersecurity experts were trying to figure out their exposure to the problem, they were hit with successive warnings compelling them to act more quickly. First, the US Cybersecurity and Infrastructure Security Agency (CISA) set federal agencies a deadline of Christmas Eve to root out whether they used Log4j in their systems, and patch it. CISA director Jen Easterly said that it was the most serious vulnerability she’d seen in her career.
To help frazzled IT professionals understand whether they needed to do anything, CISA provided a five-step process, with three substeps, two verification methods, and a 12-part flow chart diagram with multiple routes and three outcomes (“vulnerable,” “not vulnerable,” and, confusingly, “likely not vulnerable”). As of early January, federal agencies had started work trying to identify any exposure to the Log4j vulnerability, but notably hadn’t fixed it entirely. A CISA spokesperson says “all large agencies have made significant progress.”
Please select this link to read the complete article from WIRED.