If you are not gathering, analyzing, and using data whenever and wherever you can, you are losing out. That seems to be the order of the day in most markets and industries right now. A result of this, is that all kinds of companies, both big and small, have more and more data stored within their systems. While all this data comes with infinite possibilities, there are also a lot of threats that go along with it. Especially if software is not regularly updated, or companies don’t stay up to date when it comes to the latest news around cybersecurity.
Because most companies do not develop (all) their own software, it is likely that these companies use software packages that are created outside of the company. This saves the company a lot in terms of time and money because the software can be bought and besides some minor configuration, often is ready to use off-the-shelf. The wide array of software available to companies comes with major benefits, like having a lot of options when looking for the perfect solution to your problem. However, using off the shelf software and integrating it with the company’s networks, servers, and other software packages, also involves a lot of risk.
In December 2021 this risk was once again brought to light when a security vulnerability with a CVSS rating of 10 was found in the log4j library within the Java programming language (Apache 2022). Log4j is a popular open-source logging tool and is very widely used. The vulnerability made an exploit available that allowed hackers to run any code they wanted on the target’s system and allowed for full server control, with an exploit that was quite easy to execute (NCSC, 2021; Wortley et al., 2021). To make things worse, the open-source nature of the log4j library, made it easy for people to gain an understanding of the vulnerability and increased the chances of a possible attack even further. These factors combined with the wide adoption of log4j, made for a very high threat within a lot of different companies all over the world. While fixes for the vulnerability were made available very quickly, these fixes only take effect once a company updates their software to the latest version. It is therefore of utmost importance for any company to stay aware of the latest news when it comes to cyber security, because otherwise they might become vulnerable for attacks, compromising not only their own business, but also their customer’s data.
References
Apache. (2022). Apache Log4j Security Vulnerabilities. Accessed 10 October 2022 from https://logging.apache.org/log4j/2.x/security.html
National Cyber Security Center. (2021). Log4j vulnerability – what everyone needs to know. Accessed 10 October 2021 from https://www.lunasec.io/docs/blog/log4j-zero-day/
Wortley, F., Thompson, C. & Allison, F. (2021). Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package. Accessed 10 October 2022 from https://www.lunasec.io/docs/blog/log4j-zero-day/
Thanks for this important insight into data security Daniel! With the growing amount of data collected, the responsibility of securing it grows. A topic we often forget. Many say the online cyber war between foreign countries is having a greater impact than any war that ever took place. Thanks again, well written en keep up the good work!
I am not really into Java, so I had never heard about this security attack, and actually it was really interesting. It allows you to understand that nobody is immune, even when it comes to big companies that basically have their foundation on data. Moreover, the domino effect that could potentially be created in the event that a company updates a library is terrifying because you do not know how much time it would take the company to realize that and, of course, you can not measure the consequences.
Thanks for sharing!