The tool incorporates a questionnaire that enables organizations to conduct urgently needed assessments of their third parties. Shared Assessments also advises organizations to share the tool with their vendors, partners and others with whom they exchange or receive digital content to gain a holistic and high level of understanding of their Log4j risks across the supply chain.
“A brief survey found that 52% of the risk management community say they are impacted by Log4j. However, risk analysts understand that the impact is much higher – experts are only at the early stages of assessing the actual impacts of the vulnerability,” said Ron Bradley, Vice President, Shared Assessments.
Log4j (Log for Java) is a Java library for logging error messages in applications using Apache software. Java is ubiquitous and Log4j is used across applications and systems with deep roots. The recently discovered vulnerability enables threat actors to bypass restrictions and gain access to any system remotely without using a password. This in turn can provide a pathway to install malware, exfiltrate data or conduct other malicious activities.
Log4j software updates are now available from Apache and updated frequently (link at bottom). However, many older software applications don’t use the current version of Log4j, placing organizations worldwide at continued and immediate risk. By mid-December, attacks exploiting this vulnerability exploded – jumping into the millions – averaging around a hundred exploits per minute.
Tom Garrubba, VP with Shared Assessments, said, “If you haven’t already, you need to immediately craft and distribute a notification to ALL your vendors asking them if they utilize any application that may be affected by this vulnerability. Next, make sure your internal IT organizations are familiar with the vulnerability and can inventory not just in-house applications that may potentially be affected, but to be on the watch for connecting network and system traffic for any irregular data extraction or movement from your networks and systems.
“For the standard user, the typical mantra of ‘change passwords; use MFA; etc.’ may provide temporary relief, but since this vulnerability is ingrained at the application level, the onus is on companies to propagate their software updates as soon as possible.”
Standardized Scoping Tool for Assessing Log4j Risks
The Shared Assessments Log4j free questionnaire speeds and simplifies the process of conducting assessments. Key domains in the 24-point standardized questionnaire include:
- Application Security
- IS/IT Incident Management
- Logging and Monitoring
- System Patching
- Vulnerability Management
- Web Server Security
Nasser Fattah, North America Steering Committee Chair, Shared Assessments, said, “Vulnerabilities like Log4j, which is so pervasive, take the concept of 0-day to hours or minutes for cybercriminals to locate and exploit IT assets in the vast digital landscape. To exacerbate matters, it takes time for vendors to create security patches, as well as time for organizations to deploy security patches.
“We always advise organizations not to wait for a crisis like Log4j to implement/improve IT asset management inventory (‘How many of my IT assets have Log4j, and where are they sitting on my network?’), which is vitally important to prioritize patch deployment. The situation also affords the opportunity to evaluate the effectiveness of detection capabilities and patch deployment programs.”
Availability: Please visit https://sharedassessments.org/log4j/ to download the free, immediately available tool and for additional information.
Additional resources include: The Shared Assessments blog “HO! HO! Oh NOOOO! The Log4j Vulnerability,” which provides a clear, concise overview of the problem. Shared Assessments also urges cyber and IT professionals to stay abreast of the latest Log4j developments by visiting Apache Log4j Security Vulnerabilities page.
Shared Assessments has posted a free, on-demand fireside chat webinar recording led by industry security professionals on the looming risk of the Log4j and how to assess the internal attack surface. The discussion answers pressing questions such as: “What is Log4j?,” “What does it mean to me and my team?,” “How should I bring this up to my Vendors?,” and most importantly, “What should we do next?”
About the Shared Assessments Program
As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, Shared Assessments has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. Join the dialog with peer companies and learn how you can optimize your compliance programs while building a better understanding of what it takes to create a more risk-sensitive environment in your organization. For more information, visit https://sharedassessments.org/.
Madison Alexander PR, Inc.