Log4j Vulnerability: 8 Questions to Ask Your Vendors

On December 9, 2021, security researchers announced a zero-day vulnerability, CVE-2021-44228, impacting the widely-used Apache Log4j Java-based logging library. Known as Log4Shell, the vulnerability can allow unauthenticated remote code execution and access to servers – in effect, a complete takeover of vulnerable systems.

Log4j is used in many cloud platforms, web applications and email services, meaning that there is a wide range of systems that could be at risk from the vulnerability. GitHub has published a list of vulnerable applications and systems, and security researchers report that cyber attackers are already making hundreds of thousands of attempts to exploit the vulnerability every minute.

Because it is deployed in millions of Java-based web applications worldwide, it is important for organizations to determine not only their internal attack surface, but also the risk they face from vulnerable third parties.

5 Best Practices to Accelerate Third-Party Incident Response

Prevalent recommends a comprehensive 5-step third-party risk management approach to be more proactive in determining future third-party vulnerability exposure.

1. Inventory third-party technology

The first step to discovering your exposure to a third-party vulnerability is to determine which vendors use what technologies. Whether determined passively through external scanning or actively via a dedicated internal assessment, the results should enable your organization to automatically create entity relationship maps by 4th party technology. With this capability, you can more clearly visualize technology concentration risk among your third parties, and quickly identify which vendors might be at risk in a security incident such as Log4Shell.

2. Issue targeted assessments to vulnerable third parties

The next step is to issue a dedicated risk assessment questionnaire to potentially vulnerable third parties. However, because of the complexity of most security incidents and the speed required to respond, you certainly don’t want to use a spreadsheet to collect this due diligence.

Instead, leverage a platform that automates the collection of third-party responses to a standard questionnaire, centralizes results in a single risk register, and provides easy-to-read reporting that shows which vendors are vulnerable and the status of their remediation plans.

3. Validate assessment results with external scanning

Considering the severity of the Log4Shell vulnerability and the consequences of a potential business disruption to you vendors, it is essential to validate results of the risk assessment by comparing vendor responses to externally observable risks such as possible malware in a vendor’s company IT infrastructure, or public-facing misconfigurations and other web vulnerabilities. This can be accomplished by correlating assessment findings with cyber scanning results in a single risk register that adds context to findings. The alternative is a labor-intensive manual scan of vulnerability databases – and you don’t have time for that!

4. Remediate and report

Once you have collected, analyzed and correlated vendor assessment responses, triage results to focus on those vendors with the highest-priority impact to your organization. The best third-party risk management solutions will offer vendor tiering to better understand which vendor is most critical; built-in remediation guidance for vendors; and regulatory and security framework-specific reporting templates to simplify the inevitable auditor request.

5. Continuously monitor for security incidents

Maintain a continuous feed of security incident news and updates. Look for an automated solution to accomplish this, since simply watching vendor RSS feeds or news sites will never provide the depth or context required to be more proactive in your response. Good data breach monitoring solutions include types and quantities of stolen data, compliance and regulatory issues, and real-time vendor data breach notifications.

Prevalent Can Help Accelerate Third-Party Incident Response

The Prevalent Third-Party Incident Response Service, is a solution that helps to rapidly identify and mitigate the impact of third party security incidents like Log4Shell by providing a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. Prevalent offers this solution as a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks and accelerating response to mitigate potential disruptions.

Next Steps to Address the Log4j Vulnerability

Use this questionnaire to determine the impact the Log4Shell vulnerability could have on your supplier ecosystem. Then, learn more about how Prevalent can help by downloading a best practices white paper or contact us for a demo!

Note to Prevalent customers: We are updating the Prevalent platform to include the above questionnaire. Prevalent’s cybersecurity team has kicked off an internal review of systems, applications, and suppliers over the weekend to assess potential vulnerabilities, and track mitigation and remediation steps. We’ll be providing details and advisories to our customers as the investigation continues. Please visit our customer support portal or contact your customer success manager for more details.