Amid the rush to consult vendors and check and patch and test against the recently-announced Log4j, check out the following tips…
Affecting Log4j versions 2.0-beta9 to 2.14.1, the flaw has the potential to cause data exfiltration and/or remote code execution on servers using this component for logging functionality.
There are many ways in which attackers can leverage the Log4j vulnerability for nefarious purposes. While there is no one vendor or tool that can completely prevent every arbitrary code execution attempt every time, these are steps organizations can take to protect identities, secure privileged access and minimize risk. Identity security firm CyberArk has contributed a reminder of the six identity security best practices to reduce the Log4shell risk:
- Patch, patch, patch:
If you have not already done so, take immediate steps to apply the software update already released by Apache in Log4j. It is also important to review vendor recommendations and updates for all enterprise software platforms in use, along with any underlying OS and enterprise integrations. Check in with all third-party vendors to make sure they have also patched the software you use.
- Deploy peripheral defenses.
As part of a comprehensive defense-in-depth strategy apply web application firewall (WAF) rules to mitigate common exploitation attempts.
- Protect the credentials served to servers.
Restrict access to environment variables and local credentials stored in CI/CD pipelines to minimize any immediate risks posed by opportunistic attackers. If an application requires a secret be handed over in an environment variable, use a secrets manager to help ensure only authenticated users get access to the clear text secrets.
- Protect Tier 0 assets.
Only allow privileged access to specific bastion hosts to restrict access to Tier 0 assets like Active Directory and DevOps workflow orchestrators. This will make it exponentially more difficult for the attacker to escalate privileges and achieve a complete network compromise.
- Implement least privilege for both services and users.
This step is critical in mitigating the risk of a targeted attack. Restricting access to the minimum level needed—and taking it away as soon as it is not needed—can go a long way in slowing down or halting an attacker’s progress by preventing lateral movement, and ultimately, minimizing the blast radius.
Enable Multi-Factor Authentication (MFA) whenever possible.
Attackers are much more likely to succeed when they do not have to provide a second authentication factor or another piece of approval to insert their code.