A year ago, a newly discovered zero-day vulnerability rocked the cybersecurity world, but 12 months later there are clear signs that important lessons have not been learned.

The catchy title CVE-2021-44228 is an easily exploitable vulnerability in the widely used Java logging library Apache Log4j that allows attackers to remotely access and control machines and servers. .

Log4j’s ubiquitous nature means that it is (and is) embedded in the vast array of applications, services, and enterprise software tools written in Java and used by organizations and individuals around the world. was a major concern when it was discovered.

The National Institute of Standards and Technology (NIST) gave the vulnerability a Common Vulnerability Scoring System (CVSS) score of 10 and classified it as a very severe and critical vulnerability, and within hours it was published by Log4j was the danger posed by Exploited by cybercriminals.

CISA chief Jen Easterly describes the Log4j vulnerability as “one of the most, if not the most serious, I’ve seen in my career,” affecting hundreds of millions of devices. No wonder.

Security updates and mitigations were rapidly deployed, but even one year after the initial disclosure, Log4j remains a threat as many organizations and their suppliers have yet to apply the update.

Many people may not yet realize that logging libraries are part of the software ecosystem.

However, repeated warnings have made it clear that critical vulnerabilities pose a threat, and hacking groups ranging from cybercriminals and ransomware groups to state-sponsored cyber espionage operations are all actively using Log4j. vulnerabilities and continue to do so.

Just last month, almost a year after the initial disclosure, CISA and the FBI issued security alerts stating that if an organization has not yet patched or mitigated the Log4j vulnerability, their network has been compromised. and warned that we should act accordingly.

The alert comes after an investigation into cyberattacks against what CISA and the FBI call the “Federal Civil Administration” organization. If government agencies can’t plug security holes correctly, what are the chances of other organizations?

Cybersecurity is changing rapidly, and information security teams face burnout on a regular basis. This is because there is always another new security vulnerability or new security update that needs to be applied. However, cybercriminals do not forget old security flaws and vulnerabilities and will target them unless Log4j instances are mitigated.

In other words, organizations cannot ignore vulnerabilities and problems and hope they go away. Fixing these issues is difficult, but it’s absolutely necessary to heed security alerts and warnings to ensure your network is protected.

This is just one reason why it is a responsibility for organizations of all sizes to fund an appropriately sized information security team. This allows you to detect and mitigate threats before they impact your business and customers.

