The Log4j Security Flaw Could Impact The Entire Internet Heres What You Should Be Aware Of

From Open Source Bridge
Jump to: navigation, search

TrustedSec CEO David Kennedy stated that while it will take years to fix thisissue, hackers will be on the lookout... every day [to exploit it]." "This is an imminent threat to businesses."



Here are some of the things you should know:



What is Log4j and why does it matter?



According to security experts, Log4j is among the most widely used online logging libraries. Log4j offers software developers the possibility of creating an account of their activities to be used for a variety of reasons for troubleshooting, auditing , and data tracking. Because it is both open-source and free, the library essentially touches every part of the internet.



"It's ubiquitous. Even if you don't use Log4j as an author, you could still be running vulnerable code since one open source library that you use relies on Log4j," Chris Eng of cybersecurity firm Veracode told CNN Business. This is the way software works it's all turtles.



Companies such as Apple, IBM, Oracle, Cisco, Google and Amazon all use the software. It is possible to be found on popular websites and apps, and a lot more devices across the globe could be vulnerable to it.



Are hackers exploiting it?



Attackers seem to have had more than a week's begin to exploit the flaw in the software before it was revealed publicly according to cybersecurity firm Cloudflare. With an increasing number of hacking attempts happening every day, some are worried that the worst could yet come.



"Sophisticated threat actors will find how to effectively exploit the vulnerability to gain the greatest benefit," Mark Ostrowski, Check Point's head of engineering on Tuesday, said.



Microsoft announced late on Tuesday that state-backed hackers, such as those from China, Iran and North Korea tried to exploit the Log4j flaw.



Why is this security flaw so dangerous?



Experts are particularly concerned about the vulnerability because hackers could gain easy access to a company’s computer server, giving them access to other parts of an organization's network. It's also very hard to identify the vulnerability or see whether a system has been compromised according to Kennedy.



In addition, a third vulnerability in Log4j's software was discovered late on Tuesday. Apache Software Foundation, a non-profit organization that developed Log4j and other open software, has released a security fix for organizations to apply.



What are the companies doing to address the problem?



This week, Minecraft published a blog post announcing a vulnerability was discovered in a particular version of its game. It quickly released a fix. Other companies have also taken similar steps.



US warns that hundreds of millions of devices are at risk of being affected by an uncovered software vulnerability



Customers have received advisory letters from IBM, Oracle, AWS, Cloudflare, and AWS. MINECRAFT Certain companies issue security updates, whereas others detail their plans for future patches.



"This is a major bug, but you cannot hit a button to fix it as a traditional major vulnerability." Kennedy stated that it will require a lot of effort and time.



To ensure transparency and reduce misinformation, CISA said it would set up a public website with updates on what software products were affected by the vulnerability and the ways hackers exploited them.



What can you do to protect yourself?



Companies are under great pressure to take action. For now, users should make sure to update devices, software and applications when companies give prompts in the coming days and weeks.



What's next?



The US government has issued a caution to impacted companies to be on guard during the holiday season for cyberattacks and ransomware.



There is concern that a growing number of malicious actors are making use of the vulnerability in novel ways. While large technology companies may have security teams in place to handle the threat, many other organizations do not.



"What I'm most worried about are the school districts, the hospitals those places where there's just one IT person working on security but doesn't have the time or the budget or tooling," said Katie Nickels Director of Intelligence at cybersecurity company Red Canary. "Those are the companies that I am most concerned about - small organizations with low budgets for security."