The disclosure of the Log4j zero-day exploit in December 2021 had a serious impact on the cybersecurity industry. The flaw is found in one of the most commonly used pieces of software, thus, it could potentially impact billions of devices. If left unpatched, attackers could seize complete control of the device, which is cause for alarm. In fact, the Federal Trade Commission (FTC) threatened to use “its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
To better understand the implications of Log4j for cybersecurity professionals, ISC2 conducted an online poll of 269 cybersecurity practitioners examining the Log4j vulnerability and the human impact of efforts to remediate it.
Cybersecurity professionals from around the globe shared their experiences and opinions, revealing the severity and long-term consequences of the Log4j attack for both security teams and the organizations they protect.
The results confirmed the severity of the Log4j vulnerability, the fallout of which will not be known for months or even years to come. One respondent described Log4j as a wake-up call, stating, “Software development today is closer to LEGO building than actually writing code, so it’s critical to know what LEGO pieces are part of your product. Log4j could be described as one of those very common 4×2 LEGO pieces; it’s everywhere… But developers in general have been very lax about tracking what they use in their software. When an event like this requires us to identify whether some library or component is used by our code, that lack of traceability becomes a major pain point. It turns a simple exercise of checking inventories and SBOMs into a complex scanning process, with many opportunities for false positives and false negatives. If we ever needed a wake-up call, we’ve got a big one with Log4j.”
Cybersecurity professionals, once again, rose to the occasion, responding swiftly to the disclosure of Log4j. Due to the ubiquitous nature of the vulnerability, 52% of respondents said their team collectively spent weeks or more than a month remediating Log4j and nearly half (48%) of cybersecurity teams gave up holiday time and weekends to assist with remediation.
The work is not over yet, as one respondent said, “This is one that will ripple on for some time due to the fact that it is hard to identify software with the vulnerability.”
Another respondent noted, “We will probably never rid systems of this vulnerability. Sometimes, during pen tests, I still see systems with HeartBleed, BlueBorne or other old vulnerabilities.”
Cybersecurity Professionals Defending Multiple Fronts at Once
There haven’t been any major breaches attributed to Log4j to date, in large part due to the hard work and dedication of the cybersecurity community. It was all hands-on deck to remediate for most organizations. One respondent brought in top execs to assist, stating, “Our whole IT team, CISO and several ISO and managers were involved. Doing checks, scans and updates.”
However, as a result of the reallocation of resources and the sudden shift in focus that was required, security teams report that many organizations were less secure during remediation (27%) and fell behind on their 2022 security priorities (23%).
One respondent commented on the stress the vulnerability put on them and their team, stating, “Overall, the biggest impact from the Log4j attack was the multiple vulnerabilities released. Log4j was the primary focus, but it seemed that every week a new iteration would come out causing us to re-evaluate.”
One respondent felt the biggest lesson learned from Log4j is, “Proactively tracking every embedded app isn’t realistic. We need to closely monitor the news for vulnerability disclosures and have in-depth logging and reporting on our networks and applications. We need more [personnel] to put in the extra hours when there is a disclosure, to avoid burning people out and deprioritizing day-to-day security work.”
This landscape of unsteadiness is what the Cybersecurity Workforce Gap looks like in practice. According to the ISC2 2021 Cybersecurity Workforce Study , the gap stands at 2.72 million professionals globally, with 60% of respondents reporting that the workforce shortage is placing their organization at risk.
Real-World Consequences of the Cybersecurity Workforce Gap
The poll data reconfirms findings from the 2021 ISC2 Cybersecurity
According to cybersecurity professionals
, several capabilities could be improved if their organizations weren’t
short-staffed, such as available time for risk assessment and management
(30%) and speed to patch critical systems (29%). While cybersecurity teams
need to prioritize activities to maximize the efficiency of their
operations, a shortage in team resources can exacerbate the challenge of
having many priorities at once.
When a cybersecurity team is staffed appropriately, the disclosure of critical vulnerabilities and other “fire drills” can be investigated and remediated in a timely manner. Investing in existing staff development is one of the many factors that contribute to higher retention. Retaining staff means the organization spends less time and resources on continuously hiring and training new staff members, which, in cybersecurity, has a positive impact on the overall cybersecurity posture.
Well-staffed teams are also more effective at diverting and prioritizing resources without compromising security because they have institutional knowledge of what assets their organization uses, where they are located and what vendors they use. Since Log4j is so common, teams that have good asset management habits can more quickly find the vulnerability in their supply chain and fix it.
Sense of Pride for Community Efforts
The timely action of cybersecurity professionals and the widespread awareness created around Log4j left industry practitioners satisfied. According to the ISC2 poll, 64% of cybersecurity professionals believe their peers are taking the zero-day seriously.
One respondent saw a silver lining: “My team is using the Log4j event to make many process improvements for the org. The scope of Log4j has revealed many tech and process gaps that we will improve upon. It has demonstrated to our complex organization the importance of improving cross organizational collaboration and communication.”
Although remediation efforts have been successful thus far, cybersecurity professionals must remain diligent to protect their organization. Log4j remediation is a massive undertaking assessing what devices and applications contain this pervasive code and quickly fixing the vulnerability. Organizations can check if they are using Log4j software by consulting CISA’s Log4j Guidance .
ISC2 is committed to narrowing the Cybersecurity Workforce Gap. One way to address the workforce shortage is bringing more young people and cybersecurity career changers into the field.
ISC2 ihas created an entry-level cybersecurity certification program that validates candidates’ foundational knowledge, skills and abilities necessary for an entry- or junior-level cybersecurity role and give employers confidence that they have the necessary skills for success and ability to learn more and grow on the job.
Candidates can register for the entry-level cybersecurity certification exam via Pearson Vue, the exclusive exam administration provider for ISC2, or they can purchase an online course and exam voucher as they prepare for their step toward a cybersecurity career.