It’s going to take years, maybe even a decade, to completely eradicate the threat posed by the Log4j (opens in new tab) vulnerability, security experts have warned.
The US Government Cyber Safety Review Board has analyzed what caused the Log4j flaw, and tried to come up with solutions, lessons, and other key takeaways for affected businesses.
Part of Homeland Security, the 15-strong independent body was set up by US President Joe Biden in 2021 to try and upgrade the nation’s cybersecurity standards, and has been investigating Log4j over the past five months.
Lingering risk
Among the findings of its investigation is a warning that unpatched endpoints (opens in new tab) will linger for years, if not a decade, and with them, the threat of exploits.
“This event is not over. The risk remains. Network defenders have to stay vigilant,” Rob Silvers, the undersecretary for policy at DHS, and the panel’s chair, told reporters on Wednesday during a conference call, The Record reported.
According to Silvers, some 80 businesses were interviewed for the report, as well as industry, foreign government, and security experts. The Chinese government was also involved, due to the fact that it was Alibaba’s engineers that first discovered it.
As usual, the Chinese were immediately accused of trying to take advantage of their findings, but the report says there was no evidence to support such claims.
In conclusion, the report gave out almost two dozen of recommendations, which should help organizations stay safe from the risk posed by the Log4j vulnerability. The board also argues that businesses should up the ante in terms of cybersecurity solutions and defenses such as firewalls (opens in new tab) and zero-trust.
The Log4j utility has been at the center of a media storm at the end of last year, after the discovery of a major flaw that placed millions of endpoints at risk of data theft.
At the time of its discovery, Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA) described it as “one of the most serious” flaws she’s seen in her entire career, “if not the most serious”.
