Monday, May 23, 2022

What you need to know – Bestgamingpro

It seems that very soon hackers will be exploiting a significant problem in Log4j, a widely used open source logging library from Apache. Security experts are working flat out to patch their systems to avert a disaster. It’s a really awful day and things can get worse quickly.

But at least in some respects, companies are better positioned today than in the past to avoid disaster. 2021 is our Lord’s year 2031, and there are certain advantages today when it comes to dealing with a bug of this magnitude, mentioned by safety officers and experts. “The world is ready to respond and companies are rushing to resolve concerns in hours,” said Brian Fox, CTO of the company, in an email. “This particular problem is potentially more dangerous because Log4j is widespread. [But] the Apache Log4j team has urgently released a fix. How fast they were moving greatly reduced the likelihood of serious negative, long-term effects. “

A proactive approach

While the severity of the problem cannot be underestimated, said Dr. Klein said that while an exploit would likely occur within 48 hours, the response to its discovery shows that “we are getting better and better at being proactive.”

“In the past, you literally had zero days that were two years long,” said Klein. “Today that has really changed. What we see is a better situation where the world finds bug bounties useful, finds vulnerabilities, creates proofs of concepts … I would argue that this is a great example of this [security in] 2021. “

“However, the Apache Log4j team worked in almost unprecedented ways overnight to understand and fix the problem,” added Fox. This seems to have happened within days. “

With cybersecurity concerns growing, companies are demanding more leadership in the boardroom, which is having an impact.

“Cyber ​​security has now gotten to the point where the boardroom does it for me. Even if they don’t fully understand it, they turn to someone in the technical management team and say, ‘I have to understand this better.’ ”“ What is really happening is that the world is waking up. ”

Factors that are technological

In addition, automation technologies for scanning open source code such as Software Composition Analysis (SCA) have increased in recent years. Likewise, the use of detection and response capabilities, which can be critical in detecting threats in a scenario like this.

While Log4j is still used a lot in the wild, it appears to be less than it used to be. “The Java logging market is more diverse today than ever,” said Arshan Dabirsiaghi of Contrast Security. “We only used Log4j for a long time. It’s not even the standard library in some large frameworks anymore. “

Regardless of the outcome, “we will see that void in all of our IT footprints for the rest of our careers,” added Dabirsiaghi. “But five years ago it would have been a lot worse.”

Long tail weak point

This is not intended to reduce how serious the problem is for security teams or how much worse things can get if a bug is exploited. This remote code execution (RCE) vulnerability puts an attacker’s ability to remotely access and control devices.

“This vulnerability can be hidden anywhere on an organization’s network, especially those with large environments and systems, as it is part of dozens, if not hundreds, of software packages.” Karl Sigler, Senior Security Research Manager at SpiderLabs, added in an E -Mail.

“The fact that this happened in December just means that security teams that need to respond to threats to exploit this mass vulnerability are missing a lot of vacation time,” Sigler said. “This vulnerability is going to have a really long tail and is likely to ruin weekends and vacations for many IT and information security professionals around the world.”

Based on the number of devices hit and the exploitability of the bug, “it is very likely that both cybercriminals and nation-state actors will attract significant attention,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

Update and keep track.

According to security firms, the Log4j bug affects versions 2.0 and 2.14.1 of Apache Log4j. Morgan recommends that organizations upgrade to version 2.15.0 and pay more attention to the protocols associated with vulnerable programs.

According to LunaSec, various services such as Apple iCloud and Steam as well as software such as Minecraft have been discovered as vulnerable.

After all, according to Tenable’s Amit Yoran, “the good news is that we are aware of this.”

“The fact that it came to light means we’re in a race to find and fix it before bad actors take full advantage of it,” Yoran said.

Source link

Stay in the Loop

Get the daily email from that makes reading the news actually enjoyable. Join our mailing list to stay in the loop to stay informed, for free.

Latest stories

- Advertisement - spot_img

You might also like...