And it’s never over….
If the log4j crisis has proven anything, it is in justifying why the Center for Internet Security (CIS®) Top 18 controls are so vital. Rather than mandating controls to counter every possible attack vector (NIST 800-53 et al), the CIS Top 18 controls are periodically refreshed and reprioritized based on real-world attack data to address just those controls that counter the most common attacks.
In this case, the unsurprising news that the initial log4j vulnerability patch did not quite do the job and so you had to patch all the impacted systems again, and then the latest news that the second patch still did not cover it all and you had to patch yet a third time, highlights the importance of CIS controls 1, 2, 7, 15 and 17.
CIS control’s 1 and 2 are the inventory and control of hardware and software assets. As I have repeated until I am blue in the face, “you can’t protect what you don’t know you have”. In this case, the variant is “you can’t patch if you don’t know if you have it”.
CIS control 7 is vulnerability management. If you have no way to scan systems for vulnerabilities such as log4j, nor any ability (which includes process and technology) to patch these systems, then you are still dead in the water.
CIS control 15 addresses the reality that in many organizations IT functions are largely, if not totally, outsourced to 3rd party SaaS providers. If you are not managing who these are, then you have no way of querying them to find out if they have applied the first patch (or the second, or the third…).
And lastly CIS control 17, incident response. I am sure there are still many organizations that are not even aware that the log4j issue exists, and even when they are informed, have no idea where to start. Incident response encompasses both threat intelligence, planning, and response. You need to be constantly aware of what cyber issues can impact your organization, be prepared for the likely scenarios, and have the ability to execute when the fecal matter hits the oscillating air mover.
So what’s the point I’m trying to make? That cybersecurity is not just a matter of implementing some control framework such as NIST CSF, ISO 27001/2 or God forbid the ISF’s Standard of Good Practice. In other words, it is not a compliance issue (though you may be forced to look at it that way due to your industry mandates). It is a risk issue, and you need to prioritize the countermeasures that will be most impactful in reducing risk, and if you do nothing else, make sure you are doing all of them and doing them well, ALL THE TIME!
Happy Holidays! 🙂