The Shared Assessments Program, the member-driven leader in third party risk assurance, has released a free Standardized Assessment Tool for the Log4j risk.
The tool incorporates a questionnaire that enables organizations to conduct urgently needed assessments of their third parties. Shared Assessments also advises organizations to share the tool with their vendors, partners and others with whom they exchange or receive digital content to gain a holistic and high level of understanding of their Log4j risks across the supply chain.
“A brief survey found that 52% of the risk management community say they are impacted by Log4j. However, risk analysts understand that the impact is much higher – experts are only at the early stages of assessing the actual impacts of the vulnerability,” said Ron Bradley, Vice President, Shared Assessments.
Log4j (Log for Java) is a Java library for logging error messages in applications using Apache software. Java is ubiquitous and Log4j is used across applications and systems with deep roots. The recently discovered vulnerability enables threat actors to bypass restrictions and gain access to any system remotely without using a password. This in turn can provide a pathway to install malware, exfiltrate data or conduct other malicious activities.
Also Read: Three Cybersecurity Practices that CISOs Need to Adapt in 2022
Log4j software updates are now available from Apache and updated frequently (link at bottom). However, many older software applications don’t use the current version of Log4j, placing organizations worldwide at continued and immediate risk. By mid-December, attacks exploiting this vulnerability exploded – jumping into the millions – averaging around a hundred exploits per minute.
Tom Garrubba, VP with Shared Assessments, said, “If you haven’t already, you need to immediately craft and distribute a notification to ALL your vendors asking them if they utilize any application that may be affected by this vulnerability. Next, make sure your internal IT organizations are familiar with the vulnerability and can inventory not just in-house applications that may potentially be affected, but to be on the watch for connecting network and system traffic for any irregular data extraction or movement from your networks and systems.
“For the standard user, the typical mantra of ‘change passwords; use MFA; etc.’ may provide temporary relief, but since this vulnerability is ingrained at the application level, the onus is on companies to propagate their software updates as soon as possible.”
For more such updates follow us on Google News ITsecuritywire News
