The Log4j Security Flaw Could Impact The Whole Internet Heres What You Need To Know

From Chess Moves
Jump to: navigation, search

TrustedSec CEO David Kennedy stated that while it could take years to fix this, attackers will be looking... every day [to exploit it]." "This is a ticking time bomb for businesses."



Here are some tips you need to be aware of:



What is Log4j and why does it matter?



Log4j is one of the most popular logging libraries used online, according to cybersecurity experts. Log4j allows software developers to keep a log of their activities that can be used to troubleshoot and auditing as well as data tracking. The library is free and open-source, so it can be used across all areas of the internet. LET IT SING



"It's ubiquitous. Even if you don't use Log4j as developer, you may still be running vulnerable code because one open source program that you use relies on Log4j," Chris Eng of cybersecurity firm Veracode said to CNN Business. "This is the nature of software: It's turtles all down."



The software is used by corporations like Apple, IBM and Oracle, Cisco, Google, Amazon and Cisco. It could be used in popular websites and apps, and hundreds of millions of devices that access these services could be vulnerable to the vulnerabilities.



Are hackers exploiting it?



Attackers seem to have had more than a week's begin to exploit the flaw in software before it was publicly disclosed by cybersecurity firm Cloudflare. With an increasing number of hacking attempts happening every day, some are worried the worst is to yet come.



"Sophisticated threat actors will come up with how to effectively exploit the vulnerability to gain the biggest gain," Mark Ostrowski, Check Point's director of engineering told reporters on Tuesday.



Microsoft released a statement late Tuesday saying that state-backed hackers, including those from China, Iran and North Korea, attempted to exploit the Log4j flaw.



What is the reason this security flaw is so critical?



Experts are particularly worried about the vulnerability due to the fact that hackers could gain access to a company’s computer server, granting them access to other parts of an organization's network. It's also difficult to identify the vulnerability or determine if a system has already been compromised according to Kennedy.



A second vulnerability was discovered in Log4j's software on Tuesday night. Apache Software Foundation, a non-profit organization that developed Log4j and other open software, has released an update to security for organizations to use.



What are the strategies used by companies to address this problem?



This week, Minecraft published a blog post announcing a vulnerability was discovered in a version its game -- and quickly released the fix. Other companies have also taken similar steps.



US warns hundreds of millions of devices that are at risk from newly revealed software vulnerability



Customers have received advisories from IBM, Oracle, AWS, Cloudflare, and AWS. Certain companies release security updates, while others detail their plans for future patches.



"This is a serious bug that you can't click the button to fix it as a traditional major vulnerability." Kennedy said it will require a lot of effort and time.



For transparency and to help cut down on misinformation, CISA said it would create a website for the public with updates on what software products were affected by the flaw and the ways hackers exploited them.



What can you do for your safety?



Companies are under a lot of pressure to take action. For now, users should make sure to update devices, software and applications when companies issue prompts in the coming days and weeks.



What's next?



The US government has issued a caution to impacted companies to be on alert over the holidays for ransomware and cyberattacks.



There is concern that an increasing number of malicious actors will make use of the vulnerability in new ways. While large technology companies may have the security teams in place to handle these threats, many other organizations do not.



"What I'm most concerned about are the schools hospitals, the areas where there is one IT professional who handles security but does not have the security budget or tools" Katie Nickels, Director Intelligence at cybersecurity company Red Canary. "Those are the companies I'm most concerned about -- small organizations with small budgets for security."

Retrieved from "https://chessdatabase.science/index.php?title=The_Log4j_Security_Flaw_Could_Impact_The_Whole_Internet_Heres_What_You_Need_To_Know&oldid=2574620"