By Mark Lanterman
This past spring, I wrote about the newly created Cyber Safety Review Board and its focus on uniting the public and private sectors in reviewing security incidents and providing recommendations for improvement (“What we can already learn from the Cyber Safety Review Board,” March 2022). The board made the recently discovered Log4j vulnerability the subject of its first report, “Review of the December 2021 Log4j Event.”*
The report provides a thorough explanation of the vulnerability as well as a disclosure timeline. The response and immediate aftermath were summed up this way: “One interview with the Board revealed that ‘no one in the industry was sleeping that weekend [following the vulnerability’s announcement]—they were trying to patch millions of servers.’” Many experts believed that this was perhaps the worst vulnerability ever observed, and the possible risks continue to exist given its pervasive nature. The board “found that organizations that responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action… However, few organizations were able to execute this kind of response, or the speed required during this incident, causing delays in both their assessment of the risk and their management of it.” The report describes the substantial resources that were required by many organizations and agencies in the midst of the initial mitigation period.
The report recommends that organizations continue to acknowledge and address the ongoing risk brought about by the Log4j vulnerability. While it states that fewer documented attacks have occurred as a result than initially expected by experts, the ubiquitous nature of the vulnerability requires ongoing remediation efforts. In total, 19 actionable recommendations are laid out in the report, listed under four general categories:
- Address continued risks of Log4j
- Drive existing best practices for security hygiene
- Build a better software ecosystem
- Investments in the future
With these themes in mind, key action items involve ongoing response, documentation, and mitigation of the Log4j vulnerability. It is suggested that organizations have a vulnerability response program in place, and that renewed emphasis be placed on secure software development. As for future improvements, the board puts forth the possibility of a Cyber Safety Reporting System (CSRS) to “contribute to a system-wide view of the cyber ecosystem and expand and centralize the existing external reporting of coordination of cyber safety issues. Built on a voluntary model, a CSRS could incentivize anonymized reporting of exploitable vulnerabilities in key libraries, software code bases, and key projects.” The report also suggests examining the benefits of creating a central inventory of all software used across federal agencies, otherwise known as a Software Security Risk Assessment Center of Excellence (SSRACE).
The CSRB’s first report demonstrates how a thorough review and a commitment to learning from one’s mistakes can assist in creating a roadmap to future improvement. The board provides a wealth of information regarding the history of the Log4j vulnerability and the initial response, but its true value lies in its assessment of what is required to learn from the incident and promote actionable cultural change between the public and private sectors.
The report starts by noting, “We write this report at a transformational moment for the digital ecosystem. The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale.” In response to the cyber risks we currently face, President Biden initiated the Cyber Safety Review Board. By combining the efforts of the private and public sectors, the board offers a unique viewpoint in investigating incidents and providing practical and objective measures for improvement. Rather than investigating incidents with the main purpose of defining what went wrong and assigning blame, the report prioritizes a lessons-learned approach that takes into account what went right while also identifying any changes that should be made to bolster cybersecurity. Within our organizations, reviewing the report in its entirety may be a useful exercise in proactively assessing the strength of our own security cultures—as well as whether applicable measures contained in the report are being implemented.
Notes
* https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.