1. Do a complete audit and assessment

The Log4j vulnerability is widespread and impacts enterprise Java-based applications like Cisco WebEx, and custom, in-house developed applications. It is imperative for CISOs and security leaders to do a complete assessment of their assets to gauge the impact of this exploit and identify which systems are affected. This audit should extend to home users and endpoint devices (including home routers) used on the enterprise network. Don’t forget to audit third-party applications from vendors and cloud-based services too. Special attention and priority should be given to systems that store sensitive information such as customer data, transactional and operational data, and intellectual property.

2. Understand your risk exposure

In what ways have your systems been compromised? What did the hackers do? Did they change passwords? Did they drop a malware payload? Did they change configuration settings? Did they introduce another backdoor? You need to check your entire network and examine all copies of Log4j. After completing this audit, apply remedial steps (patches, mitigation strategies) to minimize risk from associated threats such as botnets, Trojans, and ransomware. Botnets like Mirai and Muhstik and ransomware variant Khonsari already exploited this vulnerability.

Read more about risk exposure in a Gartner article.

3. Patch immediately

Apply the Apache patch Log4j 2.15.0 immediately. CISA advises affected organizations that have already applied Log4j 2.15.0 to upgrade to Log4j 2.16.0 to protect them against both CVE-2021-44228 and CVE-2021-45046.

4. If you can’t patch, then apply mitigation strategies

It takes some time to update Java libraries and patch every system. If you are unable to do this immediately, then certain mitigation strategies can be applied.

A researcher at Sophos demonstrated some of these mitigation strategies.

Most apps have a script that starts a Java program. You can adapt your Java applications to suppress remote code execution and data exfiltration. Format your message to disable lookups (format message =true).

Another mitigation strategy recommended by Sophos is to block the Java Naming and Directory Interface (JNDI) from making requests to untrusted servers. If you are using Log4j 2.10.0 or later, you can set certain configuration values that prevent LDAP and similar queries from getting out.

Restrict egress (outbound) connectivity. Each subnet, server, and workload should be allowed to connect only to the endpoints that are required by the business. All other destinations should be blocked. Configure Access Control Lists too.

Read more on how to mitigate risks from Log4j on the Sophos blog here.

5. Create an incident response plan

Outline the measures your organization will take to deal with this vulnerability. Update your security policies and communicate your plan to employees across all levels in the organization. C-suite and board members should be apprised of the incident and informed as to how to respond to external communication with shareholders and partners. Employees must be vigilant and should be encouraged to report any unusual behavior with their applications or endpoint devices. IT support teams should guide users to update and patch applications on endpoints, just as system administrators patch server-side applications. Remember, everyone is responsible for the organization’s information security.

6. Don’t trust data that arrives from outsiders

It seems coders place too much trust on untrusted data. Leaving open doors in the code is an invitation for hackers to devise ways to exploit vulnerabilities and manipulate the software. When coding, do not provide options based on assumptions, for functions that users might want to use (and rarely use), because someone with malicious intentions will eventually find and misuse those options. Is your server accepting untrusted data into the log? This is where the zero-trust model and zero-trust architecture should be applied. Software should be designed to never permit untrusted or unauthorized users to use untrusted data to manipulate how that very data gets handled.

Also see:

Log4j Explained: How It Is Exploited and How to Fix It

The post 6 Things CISOs Must Do to Mitigate Risks from Log4j appeared first on CISO MAG | Cyber Security Magazine.

Today, it is common practice for an organization to adopt a hybrid, multi-cloud approach. That makes cloud security more challenging. If an organization experiences an attack or data breach, it will have to trace the source of the attack, what the damage was, the extent and impact of the attack.

That’s where Cloud Forensics comes in.

When infrastructure is virtualized and hosted by multiple clouds with servers in different jurisdictions, it poses a tremendous challenge to cloud forensics specialists. In fact, doing forensics on the cloud is complicated and differs vastly from traditional computer forensics. With computer forensics, investigators had to find the media that had the data or digital evidence. With the cloud, this evidence could be anywhere and is much more difficult to trace.

The cloud offers various architectures, service models, processes, and continuously changing paradigms. So, it is challenging for investigators to gain access to data and resources required for forensics – the “artifacts,” as they call it. That includes registry keys, files, timestamps, and event logs. This is digital evidence that can be used in a court of law for criminal litigation.

Cloud Forensics Survey

We wanted to determine what are the biggest challenges posed to cloud forensics today. For this, EC-Council’s Cyber Research team undertook a survey titled “Cloud Forensics in Today’s World.”  The report, which appears in the September issue of CISO MAG, uncovers some interesting findings from their investigation:

• Both multi-tenancy-related privacy issues and distributed data location were considered equally challenging by one-fourth of the respondents.
• More than half of the respondents believe the hybrid cloud deployment model presents the most challenges towards cloud forensics.
• Nearly 40% of the respondents say that a lack of channels for international communication contributes significantly to the legal challenges faced by cloud forensics.
• There is a growing demand that the SLA should mention when and what data to collect, its purpose and legal liabilities.
• FaaS (Forensics as a Service) is the most anticipated trend towards improving the cloud forensics domain.

Since the cloud is now a shared responsibility, some have suggested that cloud service providers offer Forensics as a Service.  Yes, FaaS is being offered by third parties today. But more CSPs need to offer it.

Shared Responsibility Model

In the cover story, Karim El Chenawi, CISO at John Doe Invest, writes that the shared responsibility model for cloud computing puts the onus of cloud security on both the cloud service provider and the client. And that increases the attack surface for threat actors to exploit. So there is a need for a trustworthy cloud forensic process that overcomes the existing challenges associated with cloud computing and provides clear and actionable data towards security enforcement and incident handling. He suggests that the complete cloud forensic process should be classified into incident identification, data collection, and analysis and examination phases.

Don’t miss the September 2021 issue. We hope you enjoy reading the Cover Story, Survey Report, and other curated articles from industry experts.

Click Here to Subscribe to CISO MAG

 

 

The post The Cloud is New Territory for Computer Forensics appeared first on CISO MAG | Cyber Security Magazine.