How We Are Dealing With the Log4Shell Vulnerability
Log4shell is a critical vulnerability in the widely-used logging tool Log4j. The Log4j issue has an impact on a lot of different companies, either because of vulnerabilities in their software, or vulnerabilities in the software of their suppliers. As Researchable we are ISO27001 certified and I wanted to share how we are dealing with the Log4shell vulnerability and how ISO27001 helped us to deal with this issue.
What Is the Issue?
A severe vulnerability has been found in the popular logging library Log4j. The log4j library is commonly used in Java applications for logging. The vulnerability found allows an unauthorized person to remotely run code within the Java application that uses this logging library. Because of its widespread use in servers and desktop applications, the CVEs that have been announced have a major impact. CVE is a database of publicly disclosed information security issues.
Asset Management and ISO27001
One important element of ISO27001 is asset management of the systems you have and use. These systems are very broad and range from servers that you host at AWS, to the service you use for sending your emails. Although it is quite painful to keep this list up to date with all the systems being used in the company, we now really see the benefits. Because of this list, we could easily select all the systems that could have potentially been impacted.
Incident Management Process
Based on this system list we followed our Incident Management Process to determine the impact of this CVE on our services and our suppliers and created an overview of all suppliers that were potentially impacted by this issue. As the news about this is constantly changing, we've also scheduled several re-check moments, to make sure that all the systems we use are safe.
What is ISO27001
- •ISO27001 is an international standard providing requirements for an information security management system (ISMS).
- •It follows a so-called Plan Do Check Act cycle, in which all information in the ISO27001 ISMS is constantly evaluated and updated.
- •It helps organizations manage their information security in a structured way.
Relevance Becomes Clear
ISO27001 provides great processes, some of which the relevance only becomes clear when incidents like the Log4shell vulnerability happen. Because of this incident, we have seen the usefulness of the asset management system that we use but also noticed that it took us too much time to make a distinction between self-hosted and cloud-hosted services, and services that are only used for development (but still could pose a security threat based on this CVE).
We learned from this vulnerability and are working on optimizing our process to create better lists of our systems. We've already scheduled several objectives to create better overviews of these systems. The basis of ISO27001 is continuous improvement and a core value of Researchable.