The Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) has released its first report, providing detailed information on the Log4j vulnerability.
The CSRB was established in February of this year as part of the United States government's effort to bolster cybersecurity as a whole. The Board was created to "review and assess significant cybersecurity events" so that both the public and private sector can improve their security posture. After the SolarWinds incident and Log4j, it became clear that something like the CSRB was needed.
At the time of its creation, its first goal was to review Log4j and provide useful information to the masses, which is exactly what it has done. DHS Secretary Alejandro N. Mayorkas discussed the CSRB and its report:
"At this critical juncture in our nation's cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways.
The CSRB's first-of-its-kind review has provided us—government and industry alike—with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security."
So, what did the CSRB have to say about Log4j? Let's just say that it doesn't look like it'll be disappearing anytime soon.
Cyber Safety Review Board looks into Log4j
The report starts by reminding everyone what Log4j is and why it is such a big deal, which if you're not familiar with, you should read the report's executive summary (or maybe open your email for the first time this year).
It is interesting that it notes, unlike traditional studies of cyber incidents, it had "no stress tests to perform on failed equipment, and no wiring diagrams to review," and that it had to rely on subject matter experts in open source software.
It also discusses that Log4j is far from over. Since it is deeply embedded in our systems, everyone must remain vigilant against the risks associated with this vulnerability.
The report provides 19 recommendations for organizations regarding Log4j, which are broken up into four categories:
Address Continued Risks of Log4j: continued vigilance in addressing Log4j vulnerabilities for the long term.
1. Organizations should be prepared to address Log4j vulnerabilities for years to come.
2. Organizations should continue to report (and escalate) observations of Log4j exploitation.
3. CISA should expand its capability to develop, coordinate, and publish authoritative cyber risk information.
4. Federal and state regulators should drive implementation of CISA guidance through their own regulatory authorities.
Drive Existing Best Practices for Security Hygiene: adopt industry-accepted practices and standards for vulnerability management and security hygiene.
5. Organizations should invest in capabilities to identify vulnerable systems.
6. Develop the capacity to maintain an accurate IT asset and application inventory.
7. Organizations should have a documented vulnerability response program.
8. Organizations should have a documented vulnerability disclosure and handling process.
9. Software developers and maintainers should implement secure software practices.
Build a Better Software Ecosystem: drive a transformation in the software ecosystem to move to a proactive model of vulnerability management.
10. Open source software developers should participate in community-based security initiatives.
11. Invest in training software developers in secure software development.
12. Improve Software Bill of Materials (SBOM) tooling and adoptability.
13. Increase investments in open source software security.
14. Pilot open source software maintenance support for critical services.
Investments in the Future: pursue cultural and technological shifts necessary to solve for the nation's digital security for the long run.
15. Explore a baseline requirement for software transparency for federal government vendors.
16. Examine the efficacy of a Cyber Safety Reporting System (CSRS).
17. Explore the feasibility of establishing a Software Security Risk Assessment Center of Excellence (SSRACE).
18. Study the incentive structures required to build secure software.
19. Establish a government-coordinated working group to improve identification of software with known vulnerabilities.
For more information on the CSRB's report and Log4j, check out the full report here.
Expert commentary on CSRB and Log4j
With the highly anticipated release of the CSRB's first report and all the information it followed through with, it's no surprise that everyone in cybersecurity is discussing its findings.
So what are they experts saying?
For the most part, everyone seems pretty pleased with how in-depth the report went. Providing 19 recommendations for organizations to implement is a great start.
Tim Mackey, Principal Security Strategist at Synopsys, shared his thoughts:
"Rarely do we get a comprehensive review of the impact and root causes of a cyber incident so quickly after the incident occurred, but that is precisely what we have from the CSRB in their report on Log4Shell and log4j."
Casey Ellis, Founder and CTO of Bugcrowd, echoed a similar sentiment and even discussed the potential impact in China:
"This is an incredibly dense report, but one that I hope a lot of folks—both inside and external to government—read and digest. The vulnerabilities in Log4j prompted 'one of the most intensive cybersecurity community responses in history' and there are a great many lessons to be learned from it, and hopefully applied back into software and F/OSS vulnerability management.
Of particular interest is some of the comments in the executive summary about the PRCs potential actions against Alibaba for violating then-recent vulnerability disclosure laws, and the potential for this to have a chilling effect on security research in good-faith out of mainland China. Given the progress on deconflicting anti-hacking laws like the CFAA and the CMA in the West, seeing the PRC seemingly take steps in the opposite direction is a vulnerability international relations shift that will be worth keeping an eye on."
Expect more reports like this from the CSRB as threats continue to evolve and the organization grows.
