Cybersecurity and the log4j vulnerability

I like basic

I like simple.

There is definitely not enough of basic or simple in my business!

One of the most basic and simple strategies for cybersecurity is called the essential 8.

When implemented correctly the essential 8 improves an organisations security posture significantly.

Two of the components of the essential 8 is patching – Patch operating systems and patch applications.

That was till this week.

A little context:

A vulnerability has been discovered in a simple logging component of Java.

This identified vulnerability allows an attacker to send a simple line of code to a system.

That code is then passed to the logging system and bingo they now have full access to the device as an administrator.

In other words, a 10-year-old can hack your system and do some serious damage!

That makes it a huge internet problem, in fact, it is being labeled “the worst hack in history”

First discovered in web-based systems (Apache) it has now been identified in thousands of products that are installed on computers across the world..

This vulnerability has highlighted the fact that everyone and their dog has used this logging system and then failed to think about updating it as part of their patching process.

In some cases, the versions we are coming across have been in these systems for more than 8 years and traveled from version to version.

To counteract the problem is difficult.

We cannot just remove the problem files because the application will stop working.

We cannot just change it for the newest version because the application will stop working.

So we have to wait for the software owners to patch their software and release the patch.

In the meantime, we plan for the worst and hope for the best.

We rely on our defence in depth.

We rely on our proactive systems and contingencies.

We rely on others in the industry to find solutions that can be implemented and apply them as fast as possible.