The Log4j vulnerability has been making headlines recently as a major business continuity risk. This article will focus on what we are doing in response to the Log4j vulnerability and what organizations need to do in order to mitigate the risk of a cyberattack.
MSPs are working hard to help organizations identify and mitigate the risk of a cyberattack. In order to do so, MSPs are collaborating with suppliers, security partners, and security teams to help answer these tough questions. Businesses should work with their MSPs to develop a plan for overcoming these challenges.
What is Log4j, and the Log4j Vulnerability?
Log4j is a Java logging library used for writing logs from applications. It’s been in use for over a decade and is popular for its simple API and wide range of features. A recent critical vulnerability was disclosed in Log4j that allows an attacker to execute code remotely. The vulnerability is caused by a deserialization vulnerability in the Log4j library which allows an attacker to send a specially crafted message to the Log4j server that can execute code on the server.
Why should businesses be concerned?
This vulnerability is serious as it could allow an attacker to take over the machine hosting the Log4j server and execute code on it. This could allow the attacker to access sensitive data or even take control of the entire organization’s systems.
What questions businesses should be asking?
1) Can your business quickly identify the impact and severity of new vulnerabilities?
2) Does your business have a strong business continuity plan (BCP) and crisis response?
3) Are you vulnerable to supply chain attacks?
4) Can you quickly identify and isolate compromised systems?
5) Is your organization doing everything possible to protect its systems from attack?
When new vulnerabilities seem to be discovered daily, it is more important than ever for businesses to take a proactive approach to information security. Vulnerability scanning and patch management are essential, but they are only part of the solution. Businesses also need to have a comprehensive incident response plan in place in case of an attack.
Action Steps for Businesses
Organizations using Log4j should update to the latest version of Log4j as soon as possible to mitigate this vulnerability.
When updates are available, agencies must update software using Log4j to the newest version, which is the most effective and manageable long-term option. Where updating is not possible, the following mitigating measures can be considered as a temporary solution and applied to the entire solution stack.
- Disable Log4j library. Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.
- Disable JNDI lookups or disable remote codebases. This option, while effective, may involve developer work and could impact functionality.
- Disconnect affected stacks. Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks.
- Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.
- Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.
- Apply micropatch. There are several micropatches available. They are not a part of the official update but may limit agency risk.
- Report incidents promptly to CISA and/or the FBI.
Learn More: CISA Mitigation Guidance
Biztek’s Response to Log4j Vulnerabilities
Within 24hrs of Log4J becoming known, our team was participating in community events to increase our knowledge and become aware of what we needed to do to protect our clients. With the help of ThreatLocker, RocketCyber, and Datto, we rapidly identified vulnerable applications using one of our tools, ringfencing, updating and patching or uninstalling vulnerable applications, and working with customers to keep them aware and up-to-date on the steps needed to keep their environments safe.
Datto
MSPs now can use their RMM to scan customers’ systems for the latest ransomware variants and to protect those systems from ransomware attacks.
Datto, a provider of backup, disaster recovery (BDR), and business continuity solutions for small and medium-sized businesses (SMBs), has released both a Datto RMM component for its partners and a community script for all MSPs that will help use the power and reach of their RMM to identify systems that are both potentially vulnerable and that have been potentially attacked.
Learn More: Datto releases Log4Shell RMM component for Datto partners and MSP community
ThreatLocker
Fortunately, ThreatLocker is a zero-trust platform, which means that it blocks any potential vulnerabilities or exploits before they can cause any harm. ThreatLocker also uses “ringfencing” to block applications from communicating with other applications on a system, unless permitted. As a result, ThreatLocker was able to protect users from the Log4J vulnerability and keep their systems safe.
Why is a zero-trust platform important? A zero-trust platform is important because it provides an extra layer of security that can help protect users from even the most sophisticated attacks. By automatically blocking any potential vulnerabilities or exploits, a zero-trust platform can help keep users safe from harm.
RocketCyber
RocketCyber is a Security Incident & Event Monitoring (SIEM) service that uses both AI and human intelligence to monitor alerts, logs, and vulnerabilities on systems.
The RocketCyber platform helps MSPs quickly detect and respond to threats across endpoints, networks, and cloud attack vectors. It does this by delivering round-the-clock monitoring to identify malicious and suspicious activity that might otherwise evade traditional cyber defenses.
In addition to detecting threats, it also provides MSPs with the ability to:
- Manage security posture and compliance for their customers
- Generate real-time reports on security incidents and performance
- Deliver a consolidated view of security state across customers
Conclusion
Biztek Solutions is here to help organizations overcome these challenges. We have the expertise and experience to help businesses develop a strong cybersecurity plan that will protect them from potential cyberattacks.
With the use of these three tools, Biztek was able to successfully identify and mitigate any Log4j vulnerabilities across its client base. Contact us today to learn more.
Does your business have a strong business continuity plan (BCP) and crisis response?
Has your business adopted Zero Trust security practices?
Call 951-338-6189 to schedule a Discovery Call to assess your needs or schedule a virtual appointment.
About Biztek Solutions, Inc.
Since 2006, our core value has been to provide the highest level of client satisfaction when delivering IT support for client networks, computers, servers, and cybersecurity. We are the #1 IT support services and consulting firm in Riverside and service clients throughout the Inland Empire, Los Angeles, Orange County, and the surrounding areas.
Products & Solutions
Cyber Security & Compliance I IT Tech Support I Managed IT Services
Backup & Disaster Recovery I Cloud Computing Solutions I IT Consulting
Biztek Solutions provides IT support services to the following locations: Riverside, Corona, San Bernardino, Rancho Cucamonga, Ontario, Fontana, Chino, Moreno Valley, Redlands, Temecula, Los Angeles, Pomona, Pasadena, Chino, Anaheim, Irvine, Fullerton, City of Industry, and all surrounding areas.
