Another dubious anniversary has arrived. In December 2021, the world became aware of the Log4j vulnerability, aka Log4Shell, an exposure in a simple, ubiquitous Java logging utility that has been called one of the most serious cybersecurity problems in history.
One year later, Log4Shell has still been causing trouble and will do so for some time. The latest proof came on November 16, when the Cybersecurity and Infrastructure Security Agency and the FBI jointly announced that Iranian attackers exploited the vulnerability in an unpatched server to breach the network at a federal civilian executive branch agency.
The U.S. Cyber Safety Review Board called Log4Shell an “endemic vulnerability” that will remain in systems for a decade or longer. The continuing threat from Log4Shell shines a harsh light on a number of broader uncomfortable truths about the cybersecurity landscape and reinforces the urgent need for a better response.
Some sobering trends:
- Security vulnerabilities discovered continue to set records. Through December 5, this year’s total of 23,468 already had eclipsed the 20,061 recorded in 2021, according to the National Institute of Standards and Technology’s National Vulnerability Database. Of note, the 2021 count was the highest recorded ever.
- Cyberattacks are on the rise. In a recently released survey by Rubrik Zero Labs conducted by Wakefield Research, of more than 1,600 security and IT leaders from 10 countries, nearly every respondent experienced a cyberattack over the past year and on average, faced nearly one attack per week. Ninety-two percent said they are concerned they will be unable to maintain business continuity after a breach, and 96% reported feeling significant emotional or psychological consequences afterward. Put simply, intrusions are affecting our people, our organizations, and are at our senior leader level on about a weekly basis–and this cumulative effect has undercut our ability and confidence in maintaining operations.
- Security teams can barely keep up with all the attacks. Though previously unknown zero-day attacks like Log4Shell make the biggest headlines, only about a third of survey respondents encountered such an exploit in the last year, meaning that two-thirds of security events leveraged previously-known vulnerabilities. Yet 11% of the leaders said they had not adequately addressed vulnerabilities from prior cyber events.
Put another way, organizations are dealing with a compounded, double-barreled danger: the new vulnerabilities that appear every year and those from previous years that remain in play and may not have been adequately addressed. The reasons for the increase in volume and impact are likely multi-fold.
One, the surface area for threat vectors expands as data volumes explode. IDC projected that what the analyst firm calls the “global datasphere” will more than double in size from 2022 to 2026, closing in on 200 billion zettabytes. More data means more opportunity to attack the software that stores and manages that data.
Two, the well-documented cybersecurity talent shortage – the gap now stands at 3.4 million workers worldwide – was cited in the Rubrik Zero Labs survey as organizations’ No. 1 challenge in protecting their organizations. Resource shortages, which are especially pronounced at smaller organizations, can mean a challenging delta between the time a vulnerability gets identified and ultimately closed. That likely played a role in the Log4Shell response and will continue to do so year over year.
Finally, as long as there’s big money to be made, this crime will continue. That’s why it’s more important than ever for companies to invest in the technology and processes that can better safeguard their enterprises.
Though these realities paint a grim picture, there are still at least five reasons for optimism:
- The industry now recognizes a problem exists. Addressing a problem as complex as cybersecurity vulnerabilities first requires recognition that the problem exists. Remember, it wasn’t long ago that security breaches were a taboo topic seldom discussed outside the tech industry and victimized organizations were reluctant to disclose and detail. The rash of public intrusions in recent years, as dramatic as it has been, made cybersecurity a board-level issue for many companies and opened up a healthy dialogue on the issue. This dialogue almost undoubtedly will lead to positive outcomes. And consumers can now judge organizations based on how they choose to respond to these intrusions.
- Security laws and regulations are in place. Until recently, governments rarely promulgated laws and regulations to help. Now, we have measures like the Securing Open Source Software Act of 2022, which aims to bolster the security of open-source tools such as Log4j, and the Strengthening American Security Act that President Biden signed into law in March of this year. The magnitude of the current cyber threat landscape requires a full-on government response to improve outcomes.
- Cybersecurity education has improved. Many major universities, including Stanford, MIT, and University of California, Berkeley, now offer degree programs in cybersecurity. Similar efforts are under way across the tech and cybersecurity industries. We will have more highly-qualified workers in the security industry than ever before. Additionally, they get to learn from the intrusions and vulnerabilities. Today’s news events convert to tomorrow’s case studies and legal precedents.
- Public-private partnerships have formed. Companies and government agencies are partnering to share information about vulnerabilities as well as intrusions. Technical details and larger strategic lessons learned are moving across organizations to the benefit of all. This occurs at various levels and across different teams, all increasing their volume and velocity to respond and remediate these issues sooner and better.
- Vendors are building new technology with security in mind. While this does not apply to all technologies, nor will it future-proof the environments, it’s a sea change from decades of development habits. These changes will take years to see positive change, but let’s not forget the decisions that created Log4Shell were made years ago.
These are all steps in the right direction the security industry desperately needs. It offers hope that when we reach the second or third or fourth anniversary of Log4Shell, the world will have much stronger and resilient cyber defenses.
Steven Stone, head, Rubrik Zero Labs