Security leaders want legal action for failing to patch for Log4j

The recently identified vulnerability in the Log4j Java logging package has created headaches for security professionals around the world. 61% of organizations responding to the latest Neustar International Security Council (NISC) survey, conducted in January 2022, said they had fielded attacks targeting this vulnerability. An even greater share (75%) reported having been impacted by Log4j, with one in five (21%) stating that impact had been significant.

Log4j vulnerability reduced security professionals’ trust in open-source tools

The most commonly experienced impact of Log4j was the need for IT and security teams to work over the holidays to assess risk and make critical changes to protect infrastructure and data (52%), followed by a reevaluation of software supply chain security practices (45%) and software purchasing decisions (44%). A significant share of respondents had also moved to reevaluate existing vendor relationships (35%) or said the vulnerability reduced their trust in open-source tools (34%).

87% of respondents said that given the level of cyber risk posed by Log4j, government regulatory agencies (such as the U.S. Federal Trade Commission) should take legal action against organizations that fail to patch the flaw. In the words of one security professional, these organizations “may fail to secure and protect important customer data.” Another agreed: “It puts everyone at risk. We should have control over where our clients’ data ends up.” Another responded that companies large enough to address the problem should do so, and the federal government should enforce this mitigation, because “if they don’t, who will?”

“News of the Log4j threat sent security and applications teams around the globe into a frenzy of activity – taking inventory of their internet-facing systems, checking for Log4j, checking revision levels, and putting into effect emergency patching – and while many organizations took the appropriate proactive step of reaching out to business partners and vendors to assess the potential exposure, the timing made efforts to remediate that much more of a challenge,” said Carlos Morales, SVP of solutions at Neustar Security Services.

Virtual patching to handle zero-day threats

For companies that have deployed Web Application Firewall (WAF) technology or contract WAF functions from their cloud security providers, there may be a simple solution for handling zero-day threats like Log4j: virtual patching.

“Virtual patching can trick any potential attackers into thinking that your applications are not vulnerable to a threat,” added Morales. “WAF solutions are deployed in-line with web application traffic and act as reverse proxies between the clients of the application and the origin servers. The WAF terminates the connection with the client, ensures that the client is not performing any malicious actions, and then creates a separate connection to the server, bridging data between the two. Since it is terminating the client traffic, the WAF can act on behalf of the origin server and cover up for any vulnerabilities that exist on the server. Virtual patching is one of the ways that this is done.”

In addition to Log4j, the surveyed security professionals were asked about their other top concerns during the reporting period of November and December 2021. Distributed denial-of-service (DDoS) was ranked as the greatest concern by 21% of respondents, followed by ransomware and system compromise (both 18%).

Ransomware, DDoS attacks and targeted hacking were the threats most likely to be perceived as increasing during the reporting period. The threats organizations focused their ability to respond to most during this period were vendor or customer impersonation, targeted hacking, and ransomware.

Delving into more detail on the survey participants’ top concern — DDoS attacks — revealed that 84% of enterprises had been on the receiving end of a DDoS attack at some point. 57% of responding organizations reported outsourcing their DDoS mitigation, and 60% said it typically took between 60 seconds and 5 minutes to initiate mitigation.