The recent Log4J exploit seems to have taken many companies by surprise. The team at Cyber Self-Defense, LLC has heard many horror stories about it, and we have heard that companies were not prepared for it.
For years, I have been preaching that cybersecurity is cybersecurity (it is the same, for the most part, for all companies) and that a properly built cybersecurity program should allow you to run your business as usual. While I will be the first to tell you there is no such thing as perfect cybersecurity and that a determined hacker can get in, I will also tell you that you can make it very difficult and quickly detect their presence once they do get in. Building a strategy to enable the business’ success through a risk-based and strategic process is the only effective way to know that your company is investing the right resources.
What is Log4j? Apache systems have a logging utility to log events and configure various features. This utility was created for many practical purposes and has been implemented into various Apache systems. Unfortunately, criminals are always looking for code (software) flaws that can be exploited, leading to a system or data breach. In this case, some of the Log4J instances have flaws that can be exploited to leak data and allow remote code execution. Essentially, hackers can gain access to systems and/or data. The first fix would be to determine if any of your internal or external systems (don’t forget shadow IT: external systems or solutions that are not known to IT and IT Security or are minimally understood) are vulnerable, test to see if they can be patched and patch them. If they cannot be patched, mitigate the risk through various other techniques.
Having said all of this, I think we need to talk about the main problem; Companies tend to build checkbox-based cybersecurity programs. For instance, a company might download a policy from the internet, perform a find and replace, and then tell the security auditor they have a policy. Unfortunately, they might not have appropriately deployed the policy. We have seen such situations lead to data breaches. A company might have a policy requiring their staff to patch all systems within ten days after testing. They fail if they don’t patch the systems strategically and per the policy. Furthermore, if they don’t test for vulnerabilities regularly, they also fail.
We need to build comprehensive cybersecurity programs based on the business’ needs. Here are my takeaways for what went wrong with companies who were victims of Log4J:
1. The companies we have talked to did not have an enterprise-wide, risk-based, strategic, and fully-implemented program. Many of them had checkbox security.
a. Along these lines, they did not have leaders who understood both the administrative and the technical aspects of cybersecurity. Many fall under IT leadership, where it is challenging to balance security needs with the need to have easy to configure and deploy computing assets.
b. FULL Executive buy-in and support.
c. Communications up and down the chain of command were lacking.
d. The companies did not have accountable cybersecurity professionals thinking about the business, not just cybersecurity. The business must strike a balance between having a solid technologist, a person with real-world cybersecurity experience (NOTE: Cybersecurity and IT are NOT the same things), and a person who understands the business needs to lead the program. I could spend hours on this part of the discussion; you need a balanced leader; not an IT or IT Security Analyst).
2. Many did not have a risk management program that was comprehensive and effective. The company often had a document or program that was too high-level but could not drive the security efforts; so no return on investment could be calculable.
3. Training for all staff should be done in a manner that shows that the company is engaged in the cybersecurity process. Haphazard “check the box training” does not help, nor does “one size fits all” training. If the training is not important to you, it will not be important to your employees.
a. Secure Code Training is not widely enforced and included in the creation of code and the integration of libraries.
b. System or job role-specific training is not occurring or not comprehensive enough.
c. ALL STAFF, including your executives and the Board of Directors.
4. Vigorous code testing. In our world today, code is developed very rapidly, and quality testing of the code package is not widely enough done.
5. Vendor management:
a. We need specific contract language that requires the vendor to provide:
i. Rapid response to issues.
ii. Strong SLAs for security.
iii. Fast communication.
iv. Regulatory requirements.
v. Anything else you require to ensure a solid partnership between the two companies. Again, this could be an article in and of itself; We spend large amounts of time with our customers ensuring that this is covered.
b. Vendor vetting processes:
i. Many IT Departments had no clue that Log4J was a risk; they did not know that they had shadow IT.
ii. Controls to prevent shadow IT. There must be a method of bringing vendors in, while ensuring that they have been thoroughly vetted and meet all of the organization’s needs, not just the department bringing the vendor in.
6. Technologies and processes (in no particular order; your risk assessment should drive the correct order). The following controls should be considered (note this is not meant to be an all-inclusive list, it is intended to push you back to your risk assessment and policies and see if they are appropriately guiding you):
a. DNS firewalls to filter malicious domains out.
b. Web Application Firewalls to detect and prevent inappropriate traffic.
c. Multifactor authentication makes it more challenging to gain access to systems and data.
d. SIEM and SIEM-like tools should be available, properly configured, and tuned to prevent alert fatigue.
e. Complete endpoint protection. Our network boundaries are all over; we need all systems to speak for themselves.
f. PROPER and strategic vulnerability MANAGEMENT:
i. Patching should be prioritized.
ii. All systems should be in scope (including external systems).
g. VPN and other remote access tools that validate the system meets the minimum requirements.
h. Encryption of data at rest and in transit.
i. Data leakage protection/prevention.
j. Network segmentation, based on need:
i. No system should talk to another one unless it is appropriate and reasonable.
ii. Corporations should consider blocking traffic from outside their operating areas. This should be planned for and strategically deployed.
k. Least privilege should be enforced:
i. Users SHOULD NOT be local admins.
ii. Administrators should NEVER log in with administrative credentials. They should log in as a normal user and elevate.
iii. Privileged Access Management and Identity Management solutions should be employed.
7. Internal audit processes.
8. Incident Response PROGRAMS.
a. You should have a comprehensive incident response program that contains playbooks and guide your team. I see many IRPs that allow you to check the box saying you have a plan but cannot be used during an incident.
b. You should train your team!
c. You should equip your team!
d. You should ensure that you conduct drills, tabletop exercises, etc., to practice.
9. Business Continuity planning and management.
As a busy Executive or business leader, you need to know that your program is running effectively and that your team is making risk-based decisions. You need to know that they program is built around the needs of the organization. You also need to know that the program is built correctly, so knee jerk reactions are not the standard; pre-incident preparedness is the norm. Let us know if we can help you to have a solid understanding of your program!
Cyber Self-Defense is a premier cybersecurity organization that is focused on the success of our customers. Our approach is different from most companies as we have been in many of your roles and understand how to achieve success with limited resources and the need to allow the company to operate at a profit. If you have questions about anything related to cybersecurity or want some help getting on track, give us a call or send us an email. We’re passionate about what we do and are always happy to help!