US Cyber Safety Review Board warns that Log4j will remain ‘endemic’

by | Jul 14, 2022 | Technology

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Yesterday, the US government’s Cyber Safety Review Board (CSRB) released a report concluding that the Log4j flaw will remain an “endemic vulnerability” for the foreseeable future.

The CSRB was first established in February 2022 following President Biden’s Executive Order 14028, and is responsible for reviewing significant cybersecurity events, and developing insights into how government institutions and private enterprises can protect themselves from threat actors. 

“The Cyber Safety Review Board has established itself as a new, innovative, and enduring institution in the cybersecurity ecosystem,” said CSRB chair and DHS under secretary for policy, Robert Silvers. 

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.” 

For enterprises, the renewed focus on Log4j highlights the importance of taking a more proactive approach to scanning for and patching vulnerable systems.  

A quick rundown of the history of Log4j 

The CSRB’s report comes just weeks after the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning notifying organizations that threat actors were exploiting Lo4j in VMware Horizon and Unified Access Gateway (UAG) solutions.

Ever since Alibaba’s cloud security team reported the Log4Shell vulnerability to Apache on November 24th 2021, after noticing attackers were using it to deploy malicious code to servers running Minecraft, enterprises have been in a state of panic.

With over 3 billion devices using Java, security teams were under lots of pressure to update systems featuring Log4j before attackers could exploit them. 

Why won’t Log4j go …

Article Attribution | Read More at Article Source

Share This