Author: Jon Hunt, Cyber security service delivery manager
The National Cyber Security Centre (NCSC) describes the seriousness of the recently identified Log4j vulnerability very succinctly:
“Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.”
“Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.”
The severity of this vulnerability, together with the very wide range of applications and services it affects, highlights the importance and challenges of managing security not only within your own IT estate but across your supply chains as well.
Supply chain security was also at the heart of the recent attacks on the SolarWinds Orion IT system management platform and the Kasaya Virtual System Administrator (VSA) remote management and monitoring tool. The current Log4j vulnerability throws this key aspect of security management into even sharper relief.
Improving security across complex supply chains is very easy to recommend but very difficult to implement in practice, certainly in the short term.
However, this should not stop organisations from undertaking the following steps in relation to Log4j as a matter of urgency:
- Ask your suppliers if any of their products and services are affected.
- If yes, act promptly on any communications.
- Consider taking any services that may be at risk of attack offline until you are assured they are secure.
- The inconvenience caused by doing so is likely much less significant than the impact of a successful attack.
Managing supply chain security is a long-term challenge. Organisations are unlikely to address all their wider supply chain issues in relation to the current Log4j vulnerability. However, they should maintain focus on this important area even after their immediate issues and concerns regarding Log4j have been addressed. The NCSC provides detailed advice to assist organisations in doing so and has also published advice for board members on the actions they should take.
Adopting a proactive approach to supply chain security will improve organisational readiness and capability to respond when (not if) the next vulnerability of this scale is identified.
Jisc is continuing to monitor developments in relation to this vulnerability and further information is available here. Members are also encouraged to join Jisc’s Cyber security community group.