One would think that over the holidays, the hacking community might take a break! On the contrary, they are capitalizing on the opportunity to exploit a new vulnerability found in an open- source logging utility widely used by enterprise applications and cloud services. Many counties have already started addressing this exposure, but in case you have not heard about it, here are six key points along with remediation guidance on addressing the situation for you to share with your IT departments or support.
- A major vulnerability was found in Log4j, a logging framework, that lets developers monitor or “log” digital events on a server, which teams then review for typical operation or abnormal behavior.
- it is said to be one of the severe security risks on the internet to date. Some have said it is a simple yet extremely potent vulnerability.
- This vulnerability has put millions of devices at risk and can allow attackers to gain uncontrolled access to computer systems.
- This vulnerability can be present in software developed by a provider or developed in-house by your county staff.
- Reports suggest that the vulnerability has impacted a wide range of products from Apple, Twitter, Minecraft, Amazon and many other platforms.
- Per The Cyber Security and Infrastructure Security Agency (DHS-CISA), priority should be given to identifying county systems and cloud applications that a county is using that may be vulnerable and then remediation steps taken immediately. (Note: The federal government
The Cyber Security and Infrastructure Security Agency (DHS-CISA) has been hosting various calls as well as providing online guidance to help identify and remediate this exposure. The CISA has compiled a great set of resources to assist (located at Apache Log4j Vulnerability Guidance | CISA ). Further, the Multi-State Information Sharing and Analysis Center (MS-ISAC) has developed a guiding playbook located at https://www.cisecurity.org/log4j-zero-day-vulnerability-response/. The playbook starts with having the County IT answer the question “Is my county application impacted by this vulnerability”? The playbook then contains additional steps that will help you answer that question and respond appropriately. If you determine that your county is impacted, then it is imperative that vendor patches are applied immediately followed by testing. In some cases that may involve reaching out to a third-party provider who controls or owns the application or platform you are using. The playbook contains a very helpful flowchart (see below)
In closing, you will want to make sure that your end user security is in place and working properly. This includes having monitoring tools in place that will alert your IT for suspicious or unusual activity.
For more information and guidance, here is a summary of valuable of resources
- Overall alert: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- Full playbook and appendices: https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
- List of impacted third party vendors: https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
- Active discussions on the NACo Tech Xchange. If your county IT is not already a member, here is the link to join that discussion.
For additional information or assistance, you can reach out to Rita Reynolds, NACo CIO at firstname.lastname@example.org.