ISC2 Pulse Survey: Log4j Remediation Exposes Real-World Toll Of The Cybersecurity Workforce Gap

nThe disclosure of the Log4j zero-day exploit in December 2021 had a seriousnimpact on the cybersecurity industry. The flaw is found in one of the mostncommonly used pieces of software, thus, it could potentially impact billionsnof devices. If left unpatched, attackers could seize complete control of thendevice, which is cause for alarm. In fact, the Federal Trade Commissionn(FTC)nthreatenednto use “its full legal authority to pursue companies that fail tontake reasonable steps to protect consumer data from exposure as a result ofnLog4j, or similar known vulnerabilities in the future.”n

n

nTo better understand the implications of Log4j for cybersecuritynprofessionals, ISC2 conducted an online poll of 269 cybersecuritynpractitioners examining the Log4j vulnerability and the human impact ofnefforts to remediate it.n

n

nCybersecurity professionals from around the globe shared their experiencesnand opinions, revealing the severity and long-term consequences of the Log4jnattack for both security teams and the organizations they protect.n

n

nDuty Callsn

n

nThe results confirmed the severity of the Log4j vulnerability, the falloutnof which will not be known for months or even years to come. One respondentndescribed Log4j as a wake-up call, stating, “Software development today isncloser to LEGO building than actually writing code, so it’s critical to knownwhat LEGO pieces are part of your product. Log4j could be described as onenof those very common 4×2 LEGO pieces; it’s everywhere… But developers inngeneral have been very lax about tracking what they use in their software.nWhen an event like this requires us to identify whether some library orncomponent is used by our code, that lack of traceability becomes a majornpain point. It turns a simple exercise of checking inventories and SBOMsninto a complex scanning process, with many opportunities for false positivesnand false negatives. If we ever needed a wake-up call, we’ve got a big onenwith Log4j.”n

n

nCybersecurity professionals, once again, rose to the occasion, respondingnswiftly to the disclosure of Log4j. Due to the ubiquitous nature of thenvulnerability, 52% of respondents said their team collectively spent weeksnor more than a month remediating Log4j and nearly half (48%) ofncybersecurity teams gave up holiday time and weekends to assist withnremediation.n

n

nThe work is not over yet, as one respondent said, “This is one that willnripple on for some time due to the fact that it is hard to identify softwarenwith the vulnerability.”n

n

nAnother respondent noted, “We will probably never rid systems of thisnvulnerability. Sometimes, during pen tests, I still see systems withnHeartBleed, BlueBorne or other old vulnerabilities.”n

n

nnCybersecurity Professionals Defending Multiple Fronts at Oncenn

n

nThere haven’t been any major breaches attributed to Log4j to date, in largenpart due to the hard work and dedication of the cybersecurity community. Itnwas all hands-on deck to remediate for most organizations. One respondentnbrought in top execs to assist, stating, “Our whole IT team, CISO andnseveral ISO and managers were involved. Doing checks, scans and updates.”n

n

nHowever, as a result of the reallocation of resources and the sudden shiftnin focus that was required, security teams report that many organizationsnwere less secure during remediation (27%) and fell behind on their 2022nsecurity priorities (23%).n

n

nOne respondent commented on the stress the vulnerability put on them andntheir team, stating, “Overall, the biggest impact from the Log4j attack wasnthe multiple vulnerabilities released. Log4j was the primary focus, but itnseemed that every week a new iteration would come out causing us tonre-evaluate.”n

n

nOne respondent felt the biggest lesson learned from Log4j is, “Proactivelyntracking every embedded app isn’t realistic. We need to closely monitor thennews for vulnerability disclosures and have in-depth logging and reportingnon our networks and applications. We need more [personnel] to put in thenextra hours when there is a disclosure, to avoid burning people out andndeprioritizing day-to-day security work.”n

n

nThis landscape of unsteadiness is what the Cybersecurity Workforce Gap looksnlike in practice. According to thenISC2 2021 Cybersecurity Workforce Study n, the gap stands at 2.72 million professionals globally, with 60% ofnrespondents reporting that the workforce shortage is placing theirnorganization at risk.n

n

nReal-World Consequences of the Cybersecurity Workforce Gapn

n

nThe poll data reconfirms findings from the 2021 ISC2 CybersecuritynWorkforce Gap.nAccording to cybersecurity professionalsn, several capabilities could be improved if their organizations weren’tnshort-staffed, such as available time for risk assessment and managementn(30%) and speed to patch critical systems (29%). While cybersecurity teamsnneed to prioritize activities to maximize the efficiency of theirnoperations, a shortage in team resources can exacerbate the challenge ofnhaving many priorities at once.
n
n

n

nWhen a cybersecurity team is staffed appropriately, the disclosure ofncritical vulnerabilities and other “fire drills” can be investigated andnremediated in a timely manner. Investing in existing staff development isnone of the many factors that contribute to higher retention. Retaining staffnmeans the organization spends less time and resources on continuously hiringnand training new staff members, which, in cybersecurity, has a positivenimpact on the overall cybersecurity posture.n

n

nWell-staffed teams are also more effective at diverting and prioritizingnresources without compromising security because they have institutionalnknowledge of what assets their organization uses, where they are located andnwhat vendors they use. Since Log4j is so common, teams that have good assetnmanagement habits can more quickly find the vulnerability in their supplynchain and fix it.n

n

nSense of Pride for Community Effortsn

n

nThe timely action of cybersecurity professionals and the widespreadnawareness created around Log4j left industry practitioners satisfied.nAccording to the ISC2 poll, 64% of cybersecurity professionals believentheir peers are taking the zero-day seriously.n

n

nOne respondent saw a silver lining: “My team is using the Log4j event tonmake many process improvements for the org. The scope of Log4j has revealednmany tech and process gaps that we will improve upon. It has demonstrated tonour complex organization the importance of improving cross organizationalncollaboration and communication.”n

n

nAlthough remediation efforts have been successful thus far, cybersecuritynprofessionals must remain diligent to protect their organization. Log4jnremediation is a massive undertaking assessing what devices and applicationsncontain this pervasive code and quickly fixing the vulnerability.nOrganizations can check if they are using Log4j software by consultingnnCISA’s Log4j Guidancenn.n

n

nISC2 is committed to narrowing the Cybersecurity Workforce Gap. One way tonaddress the workforce shortage is bringing more young people andncybersecurity career changers into the field.n

n

nISC2 ihas created an entry-level cybersecurity certification program that validates candidates’ foundational knowledge, skills and abilitiesnnecessary for an entry- or junior-level cybersecurity role and givenemployers confidence that they have the necessary skills for success andnability to learn more and grow on the job.n

n

nCandidates can register for the entry-level cybersecurity certificationnexam via Pearson Vue,nthe exclusive exam administration provider for ISC2, or they can purchasenannnonline course and exam vouchernnas they prepare for their step toward a cybersecurity career.n

]]>