First CSRB Report Tackles on Ongoing Log4j Risk

The Log4j vulnerabilities discovered in 2021 continue to pose significant risks to organizations worldwide. The Cyber Safety Review Board (CSRB) released a series of recommendations aimed at addressing that risk and underscoring the need for additional funding to support the open source software community.

The public-private initiative, directed by president Biden through Executive Order 14028, Improving the Nation’s Cybersecurity, functions much like the National Transportation Safety Board (NTSB). The CSRB is tasked with reviewing and assessing significant cybersecurity events in an effort to protect U.S. networks and infrastructure. The recommendations are part of a report delivered this week to president Biden.

“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Department of Homeland Security (DHS) Secretary Alejandro N. Mayorkas, who established the board in February 2022. “The CSRB’s first-of-its-kind review has provided us—government and industry alike—with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”

The Log4j flaws wreaked havoc on IT security at the end of 2021, sending technology leaders and practitioners alike into a frenzy trying to track down instances and resolve the vulnerabilities.

“The complexity of patching unknown Log4j systems continues to add more difficulties for organizations. A purchased appliance may have a vulnerable version of Log4j unbeknownst to the organization,” said Matthew Warner, CTO and co-founder at Blumira. “There continues to be exploitation of Log4j across internet-exposed VMware Horizon servers that have not been patched, even within hours of CISA notifications of vulnerable hosts.”

Vulnerabilities like those in Log4j “that live within infrastructure have longevity and stickiness due to the complexity of networks and IT turnover that results in undocumented devices,” said Warner. “It will take many years for the industry to remove and update all legacy Log4j solutions and support to identify impacted solutions, and getting this information to organizations will be necessary for privacy and public partnership success.”

“Log4j shined a light on longstanding problems in our software supply chain. IT systems have become incredibly complex, with layers and layers of components put together by layers and layers of integrators and developers,” said Chris Clymer, co-founder, director and CISO at Inversion6.  “All of which is often compiled and built in ways that make it extremely difficult to know what components are included in a system your business relies upon,” Clymer said.

Indeed, “dealing with Log4J is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere—not only in core projects but in dependencies that other projects rely on—making detection and mitigation not as simple an exercise as it may be with other vulnerabilities,” said Michael Skelton, senior director of security operations at Bugcrowd. “While the initial wave of Log4j findings has subsided, we do still see Log4j appear in bug bounty programs somewhat frequently as the crowd dives deeper into the vulnerability, and looks into the dependencies of projects for its presence.”

 The CSRB’s report offered the following guidance for organizations that need to blunt the ongoing impact of Log4j:

  1. Organizations should be prepared to address Log4j vulnerabilities for years to come.
  2. Organizations should continue to report (and escalate) observations of Log4j exploitation.
  3. CISA should expand its capability to develop, coordinate, and publish authoritative cybersecurity risk information.
  4. Federal and state regulators should drive the implementation of CISA guidance through their own regulatory authorities.
  5. Drive existing best practices for security hygiene: Adopt industry-accepted practices and standards for vulnerability management and security hygiene.
  6. Organizations should invest in capabilities to identify vulnerable systems.
  7. Develop the capacity to maintain accurate information technology (IT) asset and application inventory.
  8. Organizations should have a documented vulnerability response program.
  9. Organizations should have a documented vulnerability disclosure and handling process.
  10. Software developers and maintainers should implement secure software practices.
  11. Build a better software ecosystem: Drive a transformation in the software ecosystem to move to a proactive model of vulnerability management.
  12. Open source software developers should participate in community-based security initiatives.
  13. Invest in training software developers in secure software development.
  14. Improve software bill of materials (SBOM) tooling and ease adoption.
  15. Increase investments in open source software security.
  16. Pilot open source software maintenance support for critical services.
  17. Investments in the future: Pursue cultural and technological shifts necessary to solve the nation’s digital security in the long term.
  18. Explore a baseline requirement for software transparency for federal government vendors.
  19. Examine the efficacy of a cyber safety reporting system (CSRS).
  20. Explore the feasibility of establishing a Software Security Risk Assessment Center of Excellence (SSRACE).
  21. Study the incentive structures required to build secure software.
  22. Establish a government-coordinated working group to improve identification of software with known vulnerabilities.

 “This is an incredibly dense report, but one that I hope a lot of folks—both inside and external to government—read and digest,” said Casey Ellis, founder and CTO at Bugcrowd. “The vulnerabilities in Log4j prompted one of the most intensive cybersecurity community responses in history, and there are a great many lessons to be learned from it; hopefully those will be applied back to software and F/OSS vulnerability management.”

“Of particular interest are some of the comments in the executive summary about the People’s Republic of China’s potential actions against Alibaba for violating then-recent vulnerability disclosure laws and the potential for this to have a chilling effect on security research in good faith out of mainland China,” said Ellis. “Given the progress on deconflicting anti-hacking laws like the CFAA and the CMA in the West, seeing the PRC seemingly take steps in the opposite direction is a vulnerability-specific international relations shift that will be worth keeping an eye on.”

And Clymer noted the report “is filled with great recommendations and helps to reinforce that the Log4j issue has not gone away; there are likely numerous similar problems out there still unidentified.”  CISA, Clymer said, “has done really great work raising awareness about security over the last few years, becoming a singular voice on cybersecurity for the government.”  He was struck by the board’s recommendation that “CISA should be doing more to assess and raise awareness. There’s clearly more improvements to keep making.”

The board also recommended that the CISA guidance be escalated; made not optional but mandatory by state and federal regulators. “I’m skeptical that many laws will pass here in our current political environment,” Clymer said. “Sadly, I agree that short of regulations requiring organizations to do things like maintaining a software bill of materials, organizations are unlikely to prioritize investing the significant time and money into these efforts,” Clymer said. “Many would like to, but the costs to really address these problems will be high. Without regulatory cover, it is difficult to explain to stockholders why you’re making these investments—especially if you’re the first one making that shift.”

The board advocated for organizations to get back to the basics. “As the Cyber Safety Review Board articulated, there are a number of basic steps that should be taken to protect against vulnerabilities, including security testing for vulnerabilities earlier in the development cycle, making sure that software and operating systems are kept up-to-date and patched and utilizing a multi-layered, defense-in-depth approach,” said Pravin Madhani, CEO and cofounder of K2 Cyber Security.

For the most part, the CSRB drew kudos from the cybersecurity community. “Rarely do we get a comprehensive review of the impact and root causes of a cyber incident so quickly after the incident occurred, but that is precisely what we have from the CSRB in their report on Log4Shell and Log4j,” said Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center.

“Open source software is fundamentally managed differently than commercial software, but open source software plays a key role in the success of commercial software,” said Mackey. “The ‘long-tail’ scenario outlined in the report is one we’ve seen with countless past vulnerabilities, and one that favors attackers since their success is based on having at least one victim who hasn’t patched their systems.”

Given management of open source software is different than commercial software and that open source powers commercial software, Mackey said, “reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software—even if support for that software has ended.”

But the report may be too late to help mitigate the risks that Log4j flaws pose and the recommendations may not be well suited for businesses of all sizes and stripes. “The Log4j vulnerability was first widely known in December 2021. This report comes eight months after that. At this point, anyone still vulnerable is highly unlikely to read this report or be in much of a position to do anything about it if they did,” said John Bambenek, principal threat hunter at Netenrich. 

“Most of the American economy is small to medium business who almost always never have a CISO, and aren’t likely to even have a CIO,” said Bambenek. “Until we find ways to make those without security budgets safe, no high-level list of best practices will move the ball significantly.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson