Old Software, New Problems

Published in the January 7, 2022 Morning Cybersecurity Newsletter

Politico writer Sam Sabin sat down with GuidePoint Security’s Matt Keller on the challenges some federal agencies are having with patching security flaws in Log4j due to the fact that they’re still running software so outdated it’s incapable of receiving security updates.

While CISA has stated that all civilian agencies have plans in place to mitigate the Log4j flaws, GuidePoint Security’s vice president of federal service, Matt Keller, told Morning Cybersecurity that several agencies are struggling to patch some of their systems “because they have a ton of end-of-life and end-of-support systems connected to the[ir] network.”

Most of the legacy systems that have tripped agencies up are Linux-based systems that incorporate the Java programming language in some way (which is where the Log4j code is most likely to be found), Keller said. Those systems include security sensors and data storage systems,meaning the types of legacy systems affected “could vary across the board from all kinds of different technology and solutions.”

Keller said it could take months for agencies to replace these legacy systems — both because it can take months to go through the federal government’s procurement process and because it will take significant time to replace some of these systems, considering how integral they are to their agencies’ day-to-day operations.

Keller added that “most of the organizations have created a tiger team to hunt down” affected systems, and he said if agencies have mitigation steps in place, the remaining unpatched Log4j flaws must not be “as much [of] a ‘your hair’s on fire’ type of thing.”