Soon after the worldwide leak in the Log4j logbook software, a search was underway on TU Delft’s systems for vulnerable servers. How was it done?
(Photo: Jordan Harrison via Unsplash)
At the end of December, a major leak in Log4j made the servers of almost all companies and institutions across the world vulnerable to break-ins by hackers. Log4j’s logbook software is used by various web servers to record matters such as changes and error messages. The Ministry of Justice and Security’s National Cyber Security Center assigned the leak the highest classification: High/High. This means that both the chance of misuse and the severity of potential damage is high. There are many servers at TU Delft, not only those managed by ICT, but also servers that are managed by research groups.
As soon as the report about the leak was received at TU Delft, ITC’s Computer Emergency Response Team (CERT) made an inventory which, according to Chief Information Security Officer Jérôme Zijderveld, showed that the impact was limited. “That same evening we took some precautions to intercept and block suspicious traffic, insofar as it was possible.” What precautions were these? For security reasons, Zijderveld does not answer this question directly.
Exploratory traffic
Despite the precautions, the CERT saw suspicious traffic clearly looking for potentially vulnerable servers all evening long. Zijderveld says now that it remained ‘exploratory traffic’. “Our systems are not compromised.”
This covers the servers managed by ICT. What about the servers managed by the research groups? To reach them, ICT contacted the server managers that are known to the Department. The day before the Christmas break, ICT also issued a call on intranet to scan your server and update it if necessary. But to what extent can the ICT Department see what is going on on these servers? Do they know how many there are, the level of safety risk they face, and whether they have all been updated? Zijderveld will only say that his Department “does not know as much about what is going on there as they do about the systems they manage themselves”.
Risk assessment
When the vulnerability issue was made known, some companies put their digital systems under lock and key. The Municipality of Almere preventively put their systems offline and the Chamber of Commerce suspended its services during Christmas. This was not needed at TU Delft. “Between the faculties and the colleagues at the ICT and FM Department we managed to get a good picture of what was going on and to do a good risk assessment so that we did not need to suspend our service provision.”
He also said that, as usual, to learn from this incident, ‘lessons learned sessions’ are being held. He added that the Log4Jincident did show CERT that the time between it being made known that there was a vulnerability and the misuse of it is becoming shorter. These actually happened simultaneously at some organisations.
Comments are closed.