Episode 22: CIS Behind the Veil: Log4j

In early December, the cybersecurity world was introduced to a new foe when researchers discovered a vulnerability in the code of a software library called Log4j.

The library is built on Java, the popular coding language used in other software and applications around the world. Because of its ubiquity, the vulnerability was estimated to be present in over 100 million instances – and was rated a "10 out of 10" on the Common Vulnerability Scoring System (CVSS) due to its potential impact if exploited by bad actors.

In the latest episode of Cybersecurity Where You Are, CIS CISO, Sean Atkinson, and CIS Chief Evangelist, Tony Sager, were joined by two colleagues who walked them through the steps CIS took to address the Log4j vulnerability.



Executing on our Mission

Randy Rose, Senior Director of Cyber Threat Intelligence, noted that CIS supports thousands of organizations with varying degrees of sophistication in their hands-on technical and security expertise. As an organization whose mission is all about safeguarding organizations against the latest cyber threats, it was vital that we explain Log4j clearly, while also providing access to tools and resources to help them address the issue.

Rose explained how his team quickly swung into action, creating a Log4j resources webpage – complete with a comprehensive list of external resources and an easy-to-understand response playbook. The page is updated regularly as new information surfaces.

Supporting CIS Products

Several CIS products were, themselves, impacted by the Log4j vulnerability. "We knew it was going to be big," said Lou Garwood, CIS Director of Engineering in our Security Best Practices team. "We knew it was going to impact our customers."

He explained that it was important to communicate to Members which products were affected, the steps CIS was taking to mitigate the potential vulnerability, and what they could do in the meantime. Behind the scenes, his team worked with our product owners and technical teams to develop patches for the affected products. A plan was also put into place to let customers know how they could upgrade to the new versions.

The Importance of Essential Cyber Hygiene

Cybersecurity is a constantly evolving world, and the Log4j vulnerability proved once again that bad actors are always looking for opportunities to exploit weaknesses. We addressed this in a previous podcast – our special Halloween episode about the top five scariest malware threats. In that episode, our hosts talked about how cyber-attackers understand that there is often a delay in patching vulnerabilities.

That makes a zero-day incident like Log4j potentially more impactful, and only serves to emphasize the need for organizations to practice 'essential cyber hygiene.' That's a set of steps that help any enterprise deal with the most common types of cyber-attacks, and it's codified in the CIS Safeguards found in Implementation Group 1 (IG1) of the CIS Critical Security Controls.