CS Mar Apr 2022
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Log4shell<br />
for every organisation to ensure they are not<br />
exposed to any potential threats from the<br />
logging tool and make all the necessary<br />
mitigations to ensure they do not become<br />
targeted.<br />
MASSIVE SHAKE-UP<br />
"The LogJam (or Log4Shell) debacle shook the<br />
world to its knees," says Niels Hofmans, head<br />
of security at Intigriti. "Open-source software<br />
is incorporated everywhere into the software<br />
we use on a daily basis. However, we often<br />
don't know what software 'materials', such as<br />
Log4j, are built into the code libraries and<br />
tools we operate-or even develop."<br />
The good news is that a new standard,<br />
called Software Bill of Materials (SBOMs), will<br />
hopefully bring some resolution to this<br />
problem, where a 'bill of materials' can be<br />
(securely) delivered along with packaged<br />
software releases, he adds. "This important<br />
bill will improve our supply chain security<br />
issues, at least by tenfold, since we will be<br />
able to track our software in a uniformed<br />
way. At the same time, software developers<br />
will be able to understand contents more<br />
clearly, identify all (transitive) dependencies,<br />
and match everything to any security<br />
vulnerabilities later on."<br />
At the least, companies should consume<br />
threat intelligence feeds (TI feeds) that<br />
describe the latest attacks, trends and<br />
patches so they stay on top of threats and<br />
prioritize accordingly. "And when<br />
cyberattacks do happen, a modern Web<br />
Application Firewall can stop web attacks<br />
from reaching your server; even better, if it<br />
allows you to tweak its settings to catch the<br />
latest attacks."<br />
Configuration hardening is the practice of<br />
disabling and tweaking aspects in a system to<br />
improve its security, which could have<br />
prevented this logging library from being<br />
exploited, advises Hofmans. "And, even if it's<br />
too late, endpoint detection & response<br />
should stop or alert any exploitation attempts<br />
and trigger you to go into red alert based<br />
on any abnormal system behaviour. Finally,<br />
to ensure an infected machine can only go<br />
so far, network segregation [akin to the<br />
Zero Trust Model] will limit its blast radius<br />
to only authorised peers and not the whole<br />
network."<br />
As the head of security for Intigriti and<br />
part-time bug bounty hunter; Hofmans<br />
warns that this type of creative attack<br />
certainly won't be the last. "However, there<br />
are many accessible controls software users<br />
can proactively implement now, rather<br />
than waiting for the next attack to<br />
happen."<br />
SERIOUS FLAWS MOUNT UP<br />
According to John Graham-Cumming, CTO<br />
at Cloudflare, Log4Shell is the third serious<br />
flaw that has affected a wide range of<br />
Internet services: Heartbleed in 2012,<br />
ShellShock in 2014 and now Log4Shell in<br />
2021. "The Log4Shell vulnerability allows<br />
an attacker to execute code on a remote<br />
server, a so-called Remote Code Execution<br />
(RCE). The vulnerability was particularly<br />
serious, because of the widespread use of<br />
Java and Log4j. Importantly, even non-<br />
Internet facing software that uses Java<br />
could have been exploitable as data gets<br />
passed from system to system.<br />
"When vulnerabilities like this are<br />
disclosed, it's important for companies to<br />
do two things: make sure their firewall is<br />
configured to block the attacks - and talk<br />
to their firewall vendor to see if they've<br />
rolled out a specific blocking rule - and<br />
patch the vulnerability as soon as possible."<br />
Other best practices he recommends<br />
include filtering and logging DNS queries<br />
to block queries made to known malicious<br />
destinations, securing network traffic<br />
leaving your infrastructure with an<br />
updated, and inspecting and filtering HTTP<br />
traffic, which can block attacker attempts<br />
to reach their destinations.<br />
Niels Hofmans, Intigriti: the good news is<br />
that a new standard, called Software Bill<br />
of Materials (SBOMs), will hopefully bring<br />
some resolution to this problem.<br />
DANGER ON THE HORIZON<br />
While Tim Mackey, principal security strategist<br />
at the Synopsys CyRC (Cybersecurity Research<br />
Center), recognises how Log4Shell would<br />
have impacted businesses on many levels, he<br />
emphasises most of all how any attack<br />
targeting Horizon could represent a<br />
disruptive threat to operations for those who<br />
are running VMware Horizon as part of a<br />
remote work programme. "As background,<br />
many VMware products include Apache<br />
log4j2 as their logging mechanism," he<br />
states, "and, as the evolution of the log4j2<br />
patches occurred, VMware was proactive in<br />
their patch and mitigation efforts." Patch and<br />
mitigation information has been available for<br />
Horizon since December.<br />
"From a risk management perspective,<br />
focusing attention on VMware Horizon, or<br />
any other individual product that uses log4j2,<br />
misses the real business risk associated with<br />
Log4Shell. If your patch management<br />
process missed Log4Shell or you had to<br />
manually scan each system to identify log4j2<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>/<strong>Apr</strong> <strong>2022</strong> computing security<br />
33