• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
Latest News

Shared Assessments Releases Free Standardized Tool for Assessing Log4j Risks

December 22, 2021 TechDecisions Staff

SANTA FE, N.M.–(BUSINESS WIRE)–#Log4j—The Shared Assessments Program, the member-driven leader in third party risk assurance, has released a free Standardized Assessment Tool for the Log4j risk.

The tool incorporates a questionnaire that enables organizations to conduct urgently needed assessments of their third parties. Shared Assessments also advises organizations to share the tool with their vendors, partners and others with whom they exchange or receive digital content to gain a holistic and high level of understanding of their Log4j risks across the supply chain.

“A brief survey found that 52% of the risk management community say they are impacted by Log4j. However, risk analysts understand that the impact is much higher – experts are only at the early stages of assessing the actual impacts of the vulnerability,” said Ron Bradley, Vice President, Shared Assessments.

Log4j (Log for Java) is a Java library for logging error messages in applications using Apache software. Java is ubiquitous and Log4j is used across applications and systems with deep roots. The recently discovered vulnerability enables threat actors to bypass restrictions and gain access to any system remotely without using a password. This in turn can provide a pathway to install malware, exfiltrate data or conduct other malicious activities.

Log4j software updates are now available from Apache and updated frequently (link at bottom). However, many older software applications don’t use the current version of Log4j, placing organizations worldwide at continued and immediate risk. By mid-December, attacks exploiting this vulnerability exploded – jumping into the millions – averaging around a hundred exploits per minute.

Tom Garrubba, VP with Shared Assessments, said, “If you haven’t already, you need to immediately craft and distribute a notification to ALL your vendors asking them if they utilize any application that may be affected by this vulnerability. Next, make sure your internal IT organizations are familiar with the vulnerability and can inventory not just in-house applications that may potentially be affected, but to be on the watch for connecting network and system traffic for any irregular data extraction or movement from your networks and systems.

“For the standard user, the typical mantra of ‘change passwords; use MFA; etc.’ may provide temporary relief, but since this vulnerability is ingrained at the application level, the onus is on companies to propagate their software updates as soon as possible.”

Standardized Scoping Tool for Assessing Log4j Risks

The Shared Assessments Log4j free questionnaire speeds and simplifies the process of conducting assessments. Key domains in the 24-point standardized questionnaire include:

  • Application Security
  • IS/IT Incident Management
  • Logging and Monitoring
  • System Patching
  • Vulnerability Management
  • Web Server Security

Nasser Fattah, North America Steering Committee Chair, Shared Assessments, said, “Vulnerabilities like Log4j, which is so pervasive, take the concept of 0-day to hours or minutes for cybercriminals to locate and exploit IT assets in the vast digital landscape. To exacerbate matters, it takes time for vendors to create security patches, as well as time for organizations to deploy security patches.

“We always advise organizations not to wait for a crisis like Log4j to implement/improve IT asset management inventory (‘How many of my IT assets have Log4j, and where are they sitting on my network?’), which is vitally important to prioritize patch deployment. The situation also affords the opportunity to evaluate the effectiveness of detection capabilities and patch deployment programs.”

Availability: Please visit https://sharedassessments.org/log4j/ to download the free, immediately available tool and for additional information.

Additional resources include: The Shared Assessments blog “HO! HO! Oh NOOOO! The Log4j Vulnerability,” which provides a clear, concise overview of the problem. Shared Assessments also urges cyber and IT professionals to stay abreast of the latest Log4j developments by visiting Apache Log4j Security Vulnerabilities page.

Shared Assessments has posted a free, on-demand fireside chat webinar recording led by industry security professionals on the looming risk of the Log4j and how to assess the internal attack surface. The discussion answers pressing questions such as: “What is Log4j?,” “What does it mean to me and my team?,” “How should I bring this up to my Vendors?,” and most importantly, “What should we do next?”

About the Shared Assessments Program

As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, Shared Assessments has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. Join the dialog with peer companies and learn how you can optimize your compliance programs while building a better understanding of what it takes to create a more risk-sensitive environment in your organization. For more information, visit https://sharedassessments.org/.

Contacts

Dan Chmielewski

Madison Alexander PR, Inc.

714-832-8716

C: 949-231-2965

dchm@madisonalexanderpr.com

Related Content:

  • Cathedra Bitcoin Announces Closing of C$6,450,000 Non-Brokered Investment…
  • Students Benefit When Colleges Use HEERF Grants to…
  • Inveniam Capital Partners and Rialto Markets Announce Partnership…
  •  Align Technology and Asana Announce Strategic Partnership to…

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

Hybrid Work Challenges
The Three Most Common Hybrid Work Challenges Two Years Into the Pandemic

Many of us have been working in a hybrid environment for two years now. Our editors thought this would be a good time to take a look at what’s work...

These 10 IT Certifications Are Critical To An IT Pro’s Success in 2022

Here are 10 cloud, data and security certifications that we identify as critical to an IT professional’s resume in 2022 and beyond, according to a ...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2022 Emerald X, LLC. All rights reserved.