Home Framework Best Practices for Applying the Essential Eight Framework to Java Security

Best Practices for Applying the Essential Eight Framework to Java Security


Part 1. The Eight Essentials Maturity Model

The Essential Eight is a maturity model for improving data security developed by the Australian Cyber ​​Security Center (ACSC) as the foundation of its strategies for mitigating cybersecurity incidents.

The Essential Eight is designed to protect Internet-connected networks based on Microsoft Windows, but can also be applied to cloud services, enterprise mobility, and other operating systems.

When implementing the Essential Eight, organizations should identify a target maturity level of zero to three (summarized below) appropriate to their environment.

Maturity level Summary
Zero Weaknesses in an organization’s overall cybersecurity posture, compromising the confidentiality of its data, or the integrity or availability of systems and data.
A Adversaries simply take advantage of widely available commodity trade to gain access and control over systems, for example, opportunistically using a publicly available exploit for a security vulnerability in an unpatched internet service.
Of them Adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. They can make better attempts to bypass the security controls implemented by a target and evade detection.
Three Adversaries can exploit opportunities presented by weaknesses in their target’s cybersecurity posture, such as the existence of older software or inadequate logging and monitoring. Opponents quickly use exploits when they become publicly available.

The first of the ACSC’s core guidelines in Essential Eight is security vulnerability assessment and patching, which “is critical to keeping systems secure.”

ACSC Guidelines on Basic Security Vulnerabilities to Mitigate Cyber ​​Threats:

  1. Apply the hotfix within 48 hours of exposure.
  2. Supports tightly coupled and uncoupled software versions.
  3. Analyze vulnerabilities.

Part 2. The Log4j Vulnerability

Threats abound, as evidenced by the Log4j, aka Log4Shell, vulnerability that exploded into global consciousness last December. Log4j is not part of Java itself. It is a software library providing logging functionality used as a basic building block in application development, hence simply inserted as a block of code by developers into millions of products.

Because the Log4j vulnerability is so widespread, so severe (a rare score of 10.0, the highest possible), and so trivial to exploit (via a remote copy-and-paste line of code), it represents “the most worse than I’ve seen in my decades of career,” said Jen Easterly, director of security for the US Cybersecurity and Infrastructure Security Agency.

“If left unchecked,” says the ACSC, “malicious cyber actors can take control of vulnerable systems; steal personal data, passwords and intellectual property; and install malware such as backdoors for future access, cryptocurrency mining tools, and ransomware.

Part 3. The Critical Choice of Java Vendor

Java, given its large (over 9 million developers worldwide) and mature (nearly 27 years since its inception) footprint in the computing landscape, will play an outsized role in any application of the Essential Eight framework. To ensure that the Java platform is as secure as possible, it is essential to install updates quickly when necessary.

What updates, from whom? There are two types of patch updates for Java, and it’s important to understand the differences in what they are, where you can get them, and when they should be applied.

CPUs and PSUs

Every quarter, new Java vulnerabilities are discovered and released, along with their fixes, in both Critical Patch Updates (CPUs) and Patch Set Updates (PSUs).

  • CPUs are security-only updates that, as defined by Oracle, “contain fixes to security vulnerabilities and fixes critical bugs.” The two key words here are security and critical. These updates should therefore be deployed immediately.
  • PSUs contain all relevant processor fixes plus additional non-critical fixes. Companies often postpone rolling out these updates until they are fully approved by the community.

Where can you get these updates? One option is a free version of OpenJDK. Free may sound appealing, but be warned:

Did you know that every free version of OpenJDK only contains power supplies?

And PSUs, as just mentioned, shouldn’t be deployed immediately to fix a vulnerability. So a free OpenJDK will leave you exposed.

Did you know that security-only patches are only available from Oracle and Azul?

There are other commercial Java vendors, but from a security perspective you have the choice between Oracle and Azul.

Did you know that Azul has been using Java longer than Oracle?

Azul, the only 100% Java and JVM-centric company, has been supporting Java deployments for over 19 years.

Did you know that Azul supports more Java versions than Oracle?

If you are using Java 6 or 7, you will not have access to Oracle support, no matter how much you pay them for a Java SE subscription. Oracle is ending support for Java 7 in June 2022 and does not provide support for Java 6.

Did you know that Azul costs up to 70% less than Oracle?

You want to know more ?

For a more in-depth look at the Essential Eight vulnerability, Log4J, and the differences between Oracle and Azul solutions, download a free white paper that explains it all: Essential Eight: Assessing Security Vulnerabilities and Applying Patches for Java.

Image credit: ©stock.adobe.com/au/denisismagilov