Log4Shell Exposes the Mismatched Allocation of Resources in Healthcare Cybersecurity

Topics:
Vulnerability management
This is some text inside of a div block.
Axel Wirth
Axel Wirth

January 22, 2022

Log4Shell Exposes the Mismatched Allocation of Resources in Healthcare Cybersecurity

By Axel Wirth, Chief Security Strategist at MedCrypt, Adjunct Professor at the University of Connecticut, and co-author of “Medical Device Cybersecurity for Engineers and Manufacturers”

Over the past few days the cybersecurity world has been rattled by the Log4Shell vulnerability that caused yet another mad scramble to identify whether a given organization and given system are impacted and if so, deploy the respective mitigation.

It appears that human capacity for response to these events is reaching (or already exceeding) its limits, especially since these vulnerability announcements tend to not be stable for a while with new information continually being added (in case of Log4Shell with a subsequent vulnerability in the proposed patch). Clearly, to make vulnerability management workable at scale we need better tooling to improve software transparency to the benefit of both vendors and operators.

Log4Shell earned a CVSS score of 10.0 Critical

Rightfully, Log4Shell earned a CVSS score of 10/10, positioning it in the top 5% range of disclosed vulnerabilities. Reports indicate that it is already being exploited with more than an estimated 1 million systems already having been attacked (and counting). To make matters worse, some have speculated that it is wormable and that the appearance of self-replicating malware is imminent.

As many times before, cyber adversaries have demonstrated their ability to move fast. Initial attempts to exploit the vulnerability were detected as soon as nine minutes after public disclosure. Within a few days, attacks turned from simple reconnaissance to data exfiltration and credential theft as well as started to use obfuscation techniques to evade compensating controls like firewalls.

At the time of this writing it has been reported that 40% of corporate networks have been targeted and that nation-state adversaries have been using the vulnerability in their attacks.

Frequency of attempts to test or exploit the Log4j flaw, seen across 58 countries over a 48-hour period (Source: McAfee)

We are on a concerning trajectory with more and more vulnerabilities of higher impact being discovered increasingly frequently. We are still in the weeds with Nucleus:13 and, just in time for the holidays, Log4Shell comes along.

As a medical device manufacturer, it’s critical to rapidly identify affected product versions, communicate to customers, and provide a patch (or other mitigation). On the user side, health systems need to identify affected systems, prioritize based on risk and exposure, and deploy patches.

The key to mitigation is proper software component transparency at scale. Manual efforts have let us down to date and demonstrate the need for a vulnerability management tool that provides reliable vulnerability analysis and enables the manufacturer to identify affected products and versions. Then subsequently enable the operator, via connection to their asset management system, to identify the physical devices. In other words, SBOM is the glue between the two and provides for efficient vulnerability lookup and communication.

Not meaning to downplay the need for human intervention, but the increasing prevalence of deeply embedded and pervasive vulnerabilities means resources must be allocated where they are most impactful. Applying resources (e.g., people) to the complex and time consuming identification process is inefficient, results in loss of valuable cycles, and leaves too much time for the attacker to benefit from their latest opportunity.

Strategy to date has not substantially protected nor enabled rapid remediation. What got us here will not bring us to a safer and more secure healthcare environment.

Learn more about Heimdall, the SBOM and Vulnerability Management tool from MedCrypt

Related articles

Top 5 Things People Get Wrong About SBOM Generation
This is some text inside of a div block.

Top 5 Things People Get Wrong About SBOM Generation

Vulnerability management
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Jobe Naff
Jobe Naff

October 30, 2024

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025
This is some text inside of a div block.

Cybersecurity in FDA CDRH’s Proposed Guidance List for Fiscal Year 2025

FDA readiness
This is some text inside of a div block.
Regulatory
This is some text inside of a div block.
Thought leadership
This is some text inside of a div block.
Axel Wirth
Axel Wirth

October 28, 2024

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext
This is some text inside of a div block.

Meeting FDA Cybersecurity Requirements with Medcrypt Guardian & RTI Connext

Company
This is some text inside of a div block.
Cryptography
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
All authors
All authors

October 22, 2024

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information