Log4j Vulnerabilities Put Strain on Overburdened Cybersecurity Workforce

February 23, 2022 - Since researchers discovered numerous Apache Log4j vulnerabilities in December, the cybersecurity workforce has been stretched thin trying to patch systems, deescalate network intrusions, and manage other priorities simultaneously.

The magnitude of these vulnerabilities and the tedious remediation process are taking a toll on the already short-handed cybersecurity workforce, a new survey from (ISC)² revealed.

Log4j Background

Apache Log4j is an extremely common Java framework used to enable application logging features. Because Log4j is so widely used, the Log4j vulnerabilities are particularly threatening and could have catastrophic security consequences for healthcare and other sectors if it is not patched immediately.

In December, the Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare sector of the seriousness of the Log4j vulnerabilities.

“The exact extent to which Log4j is deployed throughout the health sector is unknown. It is a common application, utilized by many enterprises and cloud applications including several large and well-known vendors,” HC3 stated.

“Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. Log4j is known to be a component in many software platforms, some of which are part of cloud services.”

HC3 later observed China-based threat actor HAFNIUM exploiting the vulnerabilities, along with Conti and PHOSPHOROUS. HC3’s brief said that US entities accounted for 43 percent of all exploitation attempts as of late January.  

In January, Microsoft observed high rates of Log4j exploitation attempts, mainly consisting of establishing remote shells, red-team activity, coin mining, and mass-scanning. Patching is critical, but legacy devices are notoriously hard to patch. This combination put additional strain on the cybersecurity workforce in the early months of 2022.

Log4j Burden Falls on Cybersecurity Workforce

(ISC)²’s survey of 269 cybersecurity professionals working closely with Log4j vulnerabilities and remediation efforts validated the severity of the vulnerabilities, “the fallout of which will not be known for months or even years to come.”

More than half of survey respondents said their team spent weeks or months remediating Log4j vulnerabilities. Nearly half of respondents said they sacrificed weekends and holidays to deal with remediation.

One respondent voiced their grievances in the survey, saying that Log4j was a “wake-up call” for the cybersecurity workforce:

“Software development today is closer to LEGO building than actually writing code, so it’s critical to know what LEGO pieces are part of your product. Log4j could be described as one of those very common 4×2 LEGO pieces; it’s everywhere… But developers in general have been very lax about tracking what they use in their software. When an event like this requires us to identify whether some library or component is used by our code, that lack of traceability becomes a major pain point. It turns a simple exercise of checking inventories and SBOMs into a complex scanning process, with many opportunities for false positives and false negatives. If we ever needed a wake-up call, we’ve got a big one with Log4j.”

Another respondent predicted that Log4j vulnerabilities would never be eradicated. The true impact of Log4j vulnerabilities has not yet been realized.

Log4j’s Impact on the Cybersecurity Workforce Gap

A previous study from (ISC)² found that the current cybersecurity workforce must grow by 65 percent to protect critical assets adequately. On a positive note, the research showed that the cybersecurity workforce gap had narrowed for the second consecutive year. However, (ISC)² collected the results prior to the discovery of the Log4j vulnerabilities.

A workforce shortage can result in employee burnout, as exhibited by the current nationwide clinician shortage. For IT teams, the deficit could mean that employees are stretched too thin and may miss critical vulnerabilities and suspicious network activity as a result.

One in four surveyed cybersecurity professionals reported believing their organization was less secure while they worked to remediate the Log4j vulnerabilities, and 23 percent said that they are now behind on 2022 cybersecurity priorities.

The healthcare sector cannot afford these gaps. If network intrusions slip through the cracks and cyberattacks continue to increase, there could be serious impacts on patient safety and privacy. In addition, penalties for noncompliance can be financially devastating for organizations.

“When a cybersecurity team is staffed appropriately, the disclosure of critical vulnerabilities and other ‘fire drills’ can be investigated and remediated in a timely manner. Investing in existing staff development is one of the many factors that contribute to higher retention,” the report noted.

“Retaining staff means the organization spends less time and resources on continuously hiring and training new staff members, which, in cybersecurity, has a positive impact on the overall cybersecurity posture.”

Although there have been no major Log4j-related cyberattacks, the vulnerabilities will likely continue to put additional stress on cybersecurity professionals across all industries.

“Although remediation efforts have been successful thus far, cybersecurity professionals must remain diligent to protect their organization,” the report continued.

“Log4j remediation is a massive undertaking assessing what devices and applications contain this pervasive code and quickly fixing the vulnerability.”