Major Security Bugs Are a Long-Term Threat: Here’s Why and What’s Next

The world of technology is entering a new phase where the complexity of code and the widespread use of global software tools have opened the door to a damaging security flaw that can last for years.

The business community got a glimpse of this in 2012 when a security breach was introduced in an update for OpenSSL, a popular cryptography library. The vulnerability became known as Heartbleed, which weakened the security of common Internet communication protocols, such as SSL and TSL. The Heartbleed bug has proven difficult to eradicateand cybersecurity vendors continue to face vulnerabilities in OpenSSL.

“Software remains vulnerable,” said Chris Krebsformer director of the Cybersecurity and Infrastructure Security Agency, in a keynote address in August at the Black hat USA 2022 conference in Las Vegas, covered by SiliconANGLE. “Companies that ship products are shipping targets. If you are hosting a service, you are the target.

Great time in safety

The latest security flaw to show signs of longevity is Apache Log4j. The Java-based logging tool is used in many software packages, and a vulnerability was first discovered. publicly disclosed in December via a Tweet from the Alibaba Cloud Security team. The security threat was quickly assigned a 10 on a scale of 10 by the National Vulnerability Database.

The urgency to fix Log4j is driven by a simple fact: its distribution is massive. A software security company has calculated that it is in the upper percentile of 0.003 software tools in terms of popularity. Following the Log4j disclosure, cybersecurity firm Lacework Inc. Noted that more than 3 billion devices run on Java and that “attackers are trying to compromise every single one of them”.

When the White House commissioned the creation of a cybersecurity review board in 2021, he did so knowing that the group would focus on recommendations to avoid another breach of SolarWinds, an embarrassing software supply chain compromise that began in 2020. However, the CSRB pivoted in February and announced that it would immediately focus its attention on Log4j.

“Log4j was a great moment for all of us,” said Heather Adkin, vice president of CSRB and senior director of security at Google LLC, who appeared at a Black Hat conference session in August. “You will see malicious actors innovate in how they implement this.”

Contain the damage

The public disclosure of the Log4j vulnerability in mid-December amounted to posting a map of the bank vault with instructions on how to open the door. Security watchdogs and researchers quickly saw threat actors jump in million attempts per hour to exploit the software flaw. NSX Network Detection and Response Unit from VMware Inc. reported over 25 million exploit attempts against the Log4j tool.

It appears that the damage has been largely contained so far. The CSRB released a report in July stating that government systems had not suffered significant damage due to the vulnerability. The Log4j exploit has been attributed to a Fintech attacka compromise to belgian ministry of defenseand the distribution of Dridex banking Trojan.

Of greater concern is the difficulty for enterprises to apply a patch. a july report from CyCognito Inc. found that 70% of companies in a subset of surveyed companies that had previously addressed Log4j had difficulty remediating vulnerable assets and preventing a recurrence. Twenty-one percent of organizations in the report experienced triple-digit growth in the number of vulnerable assets exposed.

“The vast majority of businesses are worse off than they were in January,” said Rob Gurzeev, co-founder and CEO of CyCognito, in an exclusive interview with SiliconANGLE. “Log4j is so easy to operate.”

Need software inventory

Problems with Log4j have renewed calls for a BOM software. Some companies are having difficulty with patches for Log4j because it is difficult to know precisely where the tool has been deployed. Having an inventory of software ingredients would probably go a long way in identifying the most vulnerable points.

The SBOM movement has gained momentum over the past year. In 2021, the White House issued a Executive Decree which called for a wider use of SBOMs. Officials from the Cybersecurity and Infrastructure Security Agency and the Food and Drug Administration expressed support and urged government departments to implement a wide range of software supply chain security practices.

The corporate world is also preparing for SBOM, but perhaps not as quickly as the public sector. According to a report from the Linux Foundation, 78% of organizations surveyed plan to produce or consume SBOMs this year, but only 47% are actively using them.

“Log4j is a function used in thousands of Java applications,” said Allie Mellen, senior analyst, Security and Risk, at Forrester Research, in an interview with SiliconANGLE for this article. “Without an accurate inventory of where the function is used, it can be very difficult to track down every application in which it is used across the enterprise.”

Active exploits

In recent months, threat actors have been proven to rally around a new malicious tool to exploit the Log4j vulnerability. Identified as “B1txo20” by practitioners from Qihoo 360’s Network Security Research Lab, the malware attacks Linux ARM and devices with x64 CPU architecture. It is a botnet that can exfiltrate data to and from command and control servers.

“Although the headlines have died down, Log4j is still being actively exploited by threat actors,” Mellen said. “Companies should patch their systems immediately to protect their organization from malicious actors looking to exploit this vulnerability. »

Because Log4j is so widely used in the IT world that the tool’s vulnerability has led to grim estimates of how long it would take to fully mitigate the risk. During the Log4j session during Black Hat, Robert ArgentsUndersecretary for Policy at the Department of Homeland Security, surprised some in the audience with a statement that organizations will face vulnerability issues for at least the next 10 years.

Such predictions raise the question of whether companies will continue to embrace open source tools so freely given the inherent risk now seen in community-supported code. Forrester’s Mellen thinks this is an indispensable reminder that companies need to contribute even more to the open source ecosystem.

“I hope this will be another example of why investing in and supporting open source software is so important,” Mellen said. “Enterprise software is built on an open source software foundation, but is rarely supported with resources at the same level. This should serve as yet another example of why open source software is important and why support for open source software is so crucial.

Image: D3Damon/Getty Images

Show your support for our mission by joining our Cube Club and our Cube Event community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.

Source link