Log4j
What is Alibaba
In 2017, this Credit monitoring firm disclosed a July data breach that revealed 143 million people’s full names, social security numbers, birth dates, home addresses and driver’s license numbers, as well as 209,000 credit card numbers.
Who is Equifax?
This deceptively simple attack relies on the assumption that some developers will not catch a typo in a component's name before downloading the malicious code
What is typoquatting?
In a January, 2022 statement, this organization stated that it "intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
What/Who is the Federal Trade Commission (FTC)?
SCA
What is "Software Composition Analysis?"
The date CISA released its first Log4j advisory
What is December 10, 2021
December 2021. A cyberattack on this country's Ministry of Defense forced part of its computer network, including the ministry’s mail system, to shut down for several days. Hackers exploited the Log4j vulnerability to compromise the network.
What is Belgium?
A close cousin to typosquatting, this attack spoofs the name of a popular package to bait developers into downloading the erroneous package.
What is brand-jacking?
Published May 12, 2021, this document charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
What is Executive Order 14028 (Improving the Nation's Cybersecurity)
SBOM
What is "Software Bill of Materials"
As of December 1, 2022, this percentage of Log4j downloads from Maven Central continue to be vulnerable versions
What is 35%
December 2020. Over 200 organizations around the world—including multiple US government agencies—were revealed to have been breached by Russian hackers who compromised this software provider and exploited their access to monitor internal operations and exfiltrate data.
Who is SolarWinds?
This attack relies on an adversary gaining access to the source code of a library to modify and insert malicious code into an otherwise valid project
What is malicious code injection?
This organization, whose board includes Brian Fox of Sonatype, recently briefed the White House on ways to advance open source security for all.
What is OpenSSF (Open Source Security Foundation)
RCE
What is Remote Code Execution
In July, 2022, The Cyber Safety Review Board labeled Log4j as an ________ vulnerability that will linger for years...
What is endemic
In 2022, this mobile phone provider agreed to pay $350 million to settle claims related to a 2021 data breach that impacted over 76 million customers
Who is T-Mobile?
This form of attack relies on publishing internal package names with an abnormally high version number to attack organizations who always download the latest version of a component
What is Dependency Confusion?
This committee, established from direction given by President Biden, acts to review significant cyber incidents and provide "advice, information, or recommendations for improving cybersecurity and incident response practices and policy."
What is CSRB (Cyber Safety Review Board)
SDLC
What is "Software Development Lifecycle"
According to a recent Tenable study, reintroduction of vulnerable Log4j occurred in this percentage of assets AFTER full remediation had been achieved
What is 29%
In 2021, a tool from this San Francisco software development firm was compromised, allowing attackers to gain restricted access to hundreds of networks belonging to its customers - including IBM and Hewlett Packard.
What is CodeCov?
This type of attack leaves no installed footprint and runs directly from your RAM, making it harder to detect and prevent
What is fileless malware
According to CSRB, one federal cabinet department reported dedicating this amount of time to Log4j vulnerability response to protect the department's own networks
What is 33,000 hours
CI/CD
What is "Continuous Integration/Continuous Delivery"