In a recent report by Valtix, 95% of IT leaders dubbed Log4Shell a wake-up call for cloud security, changing it permanently. Some 87% now feel less confident about their cloud security now than they did prior to the incident.
Back in December, the zero day vulnerability affected the Log4j utility, one of the most widely used tools by developers to debug or fix issues in their code. Four months after the incident, 77% of IT leaders are still dealing with Log4j patching, and 83% said that Log4Shell has impacted their ability to address business needs, according to the report.
The Lo4j vulnerability keeps making headlines because it could allow attackers to easily seize control of nearly everything from industrial control systems to web servers and consumer electronics. Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable.
Like many other software supply chain vulnerabilities to emerge in the past two years, similar to Kaseya or SolarWinds, Log4Shell is a reminder that cloud configurations are built on top of many third party dependencies, from cloud service provider products to software components. Essentially, the cloud is built on open-source software, which is often subject to zero day vulnerabilities.
Learn More: What is a zero day?
Moving to a cloud environment can create critical gaps in visibility or introduce some new risks, such as misconfigurations and insufficient identity and access controls. This could further emphasize any previous lack of knowledge. Organizations need to understand their attack surface, including their own network, their third party vendor network, and the applications used.
One vulnerable link in the supply chain can lead to cyberattacks and data breaches, disrupting business operations at scale, across industries. This is why organizations need full visibility into their digital ecosystem, and continuous monitoring to detect and remove vulnerable third party components. Likewise, third party vendors need to protect themselves and their customers from attacks.
However, 78% of IT leaders stated they lack clear visibility into what’s currently happening in their cloud environment:
- 82% say visibility into active security threats in the cloud is usually obscured
- 86% agree it’s more challenging to secure workloads in a public cloud than in an on-premises data center
- Only 53% feel confident that all of their public cloud workloads and APIs are fully secured against attacks from the internet
“Defense in depth is essential because there is no such thing as an invulnerable app,” said Vishal Jain, co-founder and CTO at Valtix. “Log4Shell exposed many of the cloud providers’ workload security gaps as IT teams scrambled to mitigate and patch.”
Zero Day Fundamentals and Remediation: Visit our Zero Day Resource Center
Back to basics: Layered defense
While zero day exploits are reaching a record‑high number, companies can also be hit by an exploit for a known vulnerability, possibly one dating back many years.
Good cyber-hygiene and layered defense remain critical to effective cyber risk management. Consider the following best practices:
- Proactive patching of known vulnerabilities
- Security toolkit: antivirus, firewall, IDS, MFA, backups, and more
- Cybersecurity awareness training for all staff
- Cybersecurity requirements for third party vendors (learn more in our vendor management guide)
- Supply chain checks to ensure open source components are secure
- Continuous monitoring to detect and mitigate the risk of accidentally exposed systems
How Can ThirdPartyTrust Help You Mitigate the Log4J Vulnerability and Other Zero Days
ThirdPartyTrust is a third party risk management automation platform where enterprises and vendors connect to easily complete risk assessments, exchange security documentation, track, and monitor risks.
With flexible fit-for-purpose features, the tool adapts to help you stay ahead of zero days or unexpected vulnerabilities like Log4Shell. The ability to rapidly create and distribute a simple questionnaire among your vendors to manage potential threats can make the difference between business as usual and business continuity issues.
If one of your vendors is vulnerable, you can ask for additional requirements and assurances right away, and easily track them with the tool. You can also update the category or classification of this vendor (i.e. more or less critical, more or less impactful for the business).
Vendors using the platform to respond to risk assessments may complete these new requirements as part of their security profile and share them proactively. This will show their customers that they take security seriously and are being diligent to mitigate any new vulnerability.
