The US Department of Homeland Security (DHS) launched its Cyber Safety Review Board (CSRB) in February 2022, as an effort to help organizations learn from security incidents.
The biggest single effort so far from the CSRB is a review of the log4j security incident which was first publicly disclosed in December 2021.
In a session at the Black Hat USA 2022 security conference, Rob Silvers, DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board and Heather Adkins, Deputy Chair and Vice President, Security Engineering at Google outlined the efforts of the CSRB and its work to date.
“The Cyber Safety Review Board was created from President Biden’s Executive Order last year on cybersecurity,” Silver said. “It is really an unprecedented public/private collaboration for authoritative fact finding, and then providing lessons learned and recommendations coming out of the very biggest cyber events.”
Silver added that until the CSRB was created there really was not any authority whose job it was to convene different kinds of companies and security researchers, without any particular agenda, and hear what they have to say about a particular incident and then detail the incident in an authoritative report.
Log4j Disclosure Done Right
The Log4j issue was initially discovered by security researchers working at Chinese firm Alibaba that reported the issue to the Apache Software Foundation, which is where Log4j is developed.
Silver said that the CSRB concluded that the Alibaba researchers did the right thing and responsibly disclosed the issue, such that Apache could begin its work of developing a patch. Adkins noted however that the open source nature of Apache and Log4j in this incident may have been an issue for disclosure.
“One of the things we learned about the open source community is that many times fixes are done in the open, and that means in issue tracking systems you can actually see the fix being developed and that was the case here with Apache as well,” she said. “Now they didn’t mark it as a security vulnerability with a big sign on it that said, hey, this is a vulnerability, but anybody keeping an eye on the code would have seen that they were working on fixing some code.”
Adkins noted that what likely happened is that before Apache could release an official fix for everybody and begin the mass patching phase, somebody noticed the issue which caused significant risk.
“This is an opportunity for us to think about how do we build a software ecosystem where we can all move very quickly, because we know that things happen in the open that bugs get discovered that they get exploited before they’re disclosed.”
Among the key recommendations coming out of the CSRB report on Log4j is the need for Software Bill of Materials (SBOM).
Silver said that the CSRB felt that SBOMs have tremendous potential as a concept to help organizations have a better understanding of their IT assets and what components they rely on. With Log4j, one of the primary challenges was that as an embedded library in many different pieces of software, it was difficult for organizations to know where the risks were within their IT organizations.
The important of asset management and asset inventory is a key lessons that the Log4j incident reinforces, according to Silver.
“You have to know what you have and where things are and that has been a staple of InfoSec talks for a long time,” Silver said.