Alerts abound about potential overflow from the Ukraine and Russia conflict, with organizations across finance, healthcare, and other critical infrastructure sectors told to brace for potential targeting by cybercrime groups with ties to Moscow.
The timing is noteworthy: only two months ago, news of the Log4j vulnerability first emerged, and many organizations still struggle to identify and mitigate the risk.
So, with the near universal message now being to patch all vulnerabilities, how exposed does Log4j leave the United States’ most critical industries?
SC Media spoke to Jon France, the new chief information security officer for cyber training and certification organization (ISC)², which just this week released results of an online poll of 269 cybersecurity practitioners examining the Log4j vulnerability and the human impact of efforts to remediate it. As noted in a blog from (ISC)² about the poll results, there haven’t been any major breaches attributed to Log4j to date. But as a result of the reallocation of resources and the sudden shift in focus that was required, security teams reported that many organizations were less secure during remediation (27%) and fell behind on 2022 security priorities (23%).
One respondent commented on the stress the vulnerability put on them and their team, stating, “Overall, the biggest impact from the Log4j attack was the multiple vulnerabilities released. Log4j was the primary focus, but it seemed that every week a new iteration would come out causing us to reevaluate.”
And in many cases, the threat remains. As one respondent noted: “This is one that will ripple on for some time due to the fact that it is hard to identify software with the vulnerability.”
With many organizations still reeling, do current threats out of Moscow leave them more vulnerable? France offered his perspective.
We’re seeing a lot of alerts out of government and the threat intelligence community about potential targeting by Russia. Log4j is a perfect example of a vulnerability that could be taken advantage of in these kinds of circumstances. Does this heighten the risk?
So, I'll use the crime analogy — there are three things that need to be present for a crime to be committed. One is the ability, one is the motivation and then the opportunity. So we look at that triangle in the cyberattack space and Log4j may give people the opportunity. It's a weakness that could be exploited. But we have to look for a motivated attacker to actually choose to operate that ability.
What defines motivated?
Profile where you are in the geo-landscape. Are you an obvious target? Are you not a target? And then build your response and you're scanning metrics to that. Humans are really good at doing that. Where does my business sit? How is it vulnerable? What's the threat landscape that I face? What's the propensity of people to want to attack me? And then how do I defend against that? And then you can set your defense strategy or mitigation strategy accordingly and match the skills to those.
A straight technology answer just won't work. It has to be a business risk and a threat landscape [analysis], as well. Remember, Log4j exploits have been relatively low, either because the vulnerability wasn't as reported or it wasn't exploited by sophisticated threat actors.
But the Log4j persists in some pockets — sometimes without organizations even recognizing that they’re exposed. Does that mean a sweeter opportunity amid current tensions?
If we just look at the 80-20 rule — [with 80% of exposures patched and 20% remaining] — we’ve probably closed off many of the major routes very, very quickly. Minor ones persist. It’s the long-tail problem that we have dealing with legacy security issues.
And I don't mean to be an alarmist, but combine that with a precarious situation that is unfolding between Russia and the Ukraine and the West.
Look, the opportunity to exploit may be there in the long tail, and the propensity to exploit may be driven by some of the geotensions we’re seeing, but geotension isn't new; even the current situation with Ukraine and Russia — they have had a point of conflict over Crimea for a long time.
Yes. And that also resulted in cyber incidents for that matter.
Exactly. And even if we look to trade tensions between the U.S. and China — chip shortages, manufacturing — they've been bubbling for a long time. So whilst we have what I’m going to call points of view that we could latch on to, this kind of the cyber landscape has been relatively tense for quite a while.
So yes, we have a little bit added on top. But don’t expect a sea change because of what's going on.