Welcome to the Winter 2022 issue of the United States Cybersecurity Magazine! As always, we’d like to take a moment to thank our supporters, members, sponsors, contributors and everyone else who makes the magazine possible. All of us here at the United States Cybersecurity Magazine remain committed to bringing you, our readers, the best and most topical cybersecurity information available.
How about that Log4j vulnerability, sports fans? While this is serious business that’s impacted many of our colleagues across the information technology industry, there are a number of important lessons for all of us. To refresh your recollection, Log4J is a very popular Java library for logging application errors. Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228 on November 26th (it was reported on November 24th) enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j. That, by the way, is bad.
Apache issued a patch for the vulnerable versions of Log4j on December 6, 2021. Unfortunately, this patch left part of the vulnerability unfixed, resulting in another vulnerability, CVE-2021-45046 and a second patch, released on December 13, 2021. Apache released a third patch, on December 17th to fix another related vulnerability, CVE-2021-45105. They released a fourth patch, on December 28th to address another vulnerability, CVE-2021-44832.
It’s tempting to take this debacle as an indictment of the open source community, but that would be both wrong and disingenuous. Instead, we across the industry should take this as a call to action, and a reason to do something positive. Open source isn’t the issue so much as the way we, as a community, have chosen to manage vulnerabilities and disseminate the fixes. We’re all in this together, and a little coordination could go a long way toward the development of a vulnerability management mechanism that would obviate many of an attacker’s opportunities to take advantage of unremediated issues.
As 2022 dawns, we have the opportunity to learn from these events and develop wisdom that guides us toward a more resilient cyberspace. Our collective challenge is to develop methods to rapidly learn and turn that newfound knowledge into power. (Ipsa scientia potestas est indeed, Mr. Bacon.) It’s why we at United States Cybersecurity Magazine produce this publication. There’s so much all of us can do. We can write. We can develop the next generation of cyber talent. We can speak. We can offer community training. We owe it to our nation and to our future.
We includes YOU. Help us raise awareness about how cybersecurity is an essential component of American prosperity. Let us showcase your solutions to real problems.
We want you to use the magazine to give your company exposure. Contact us to submit articles and to sponsor our new, Multi-Platform Publishing Portal. Let us market your company! Subscribe today, free, at www.uscybersecurity.net/subscribe; follow us on Twitter @uscybermag, and visit us on Facebook, and LinkedIn at United States Cybersecurity Magazine.
The Cybersecurity industry deserves a voice of its own; hence, the United States Cybersecurity Magazine.