What To Know About the Log4j Vulnerabilities
If you are unfamiliar with Log4j or need support and resources, the Cybersecurity & Infrastructure Security Agency (CISA) has created a web page related to this vulnerability and recommends reviewing their Apache Log4j guidance. CISA has also created an inventory of information from vendors about how their systems are impacted by this vulnerability, and this inventory will be updated as additional information is released. It is important for someone in your organization to evaluate your internal systems and take immediate action if this vulnerability is detected.
In addition to addressing the issue by applying a patch, there are several things to remember.
Patching the vulnerability does not fix everything if you were already compromised. Zero-day vulnerabilities, like this one, are disclosed when there is not yet a fix for the issue. While many patches for this issue were released quickly, there was a period when all impacted systems were vulnerable. And bad actors aim to capitalize on these vulnerabilities quickly.
We advise all organizations that were impacted to remember that there is an incident response component to all zero-day vulnerabilities. You should investigate the impact on your systems prior to the patch to identify any areas of compromise that must be mitigated accordingly.
Many organizations rely on third parties and vendor-developed software, which means there is a vendor management aspect to this vulnerability. You may not know of any systems in your environment that are directly impacted by Log4j; however, if you have implemented systems developed by a vendor that are affected by this vulnerability, this could impact you and the data you store within those systems. We recommend that all organizations coordinate with relevant vendors to determine the impact on their environment, if any.
It’s also important to consider any remote workers in your organization. The widespread impact of Log4j, which includes consumer Internet of Things (IoT) devices such as security cameras and smart speakers, could pose a risk to business systems being used in your employee’s homes. Employee cybersecurity training and clear acceptable use policies are important defenses.
Finally, zero-day vulnerabilities will remain a part of our future, unfortunately. Once you have resolved the Log4j vulnerability, we recommend using this experience to evaluate the sufficiency of your existing policies and procedures. If deemed insufficient or if there were gaps in the process, it may be time to revisit your vulnerability management and incident response plans to ensure you can address similar issues promptly in the future.
If you have questions about the Log4j vulnerabilities or other cybersecurity issues, please contact us at [email protected].
Why Your Nonprofit Needs a Zero-Day Vulnerability Plan
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.