The Log4j vulnerability has sent shockwaves far beyond the security community over the past week. However, less publicized but similar in nature events happen very frequently, making vulnerability remediation a continuous effort. How do you quickly detect and mitigate the risk from a vendor or any third party component if an event like a zero day vulnerability happens mid-cycle in your relationship?
Traditionally, organizations perform initial third party risk assessments and due diligence before engaging with a vendor, and use those findings to make an informed decision. Once they fully understand their vendor’s security posture, and if they choose to engage, they monitor risk across different domains according to their risk appetite.
This is usually accomplished with either manual, ad hoc processes, or with dedicated third party risk management tools (TPRM) that allow for automation, customization, increased visibility and efficiency.
Given that anything can happen after you sign a contract with a vendor and share your data with them —including a global pandemic—, point-in-time assessments are not enough.
Mid-cycle events can happen after the initial third party risk assessment or beyond the annual reassessment. What happens in between those traditional assessment cycles is equally important, but is often overlooked.
There are two best practices that can help you stay ahead of mid-cycle events with your vendors:
1. Continuous Monitoring
Organizations complement TPRM automation with continuous monitoring to have real-time alerts and intelligence on any security events that might call for additional measures during their relationship with a third party.
By performing ongoing and systematic monitoring of certain risk vectors, organizations are able to detect compliance and security issues in real time. When an event drops the score or standards on any particular vector, you’ll be immediately notified so you can take action.
These vectors can include anything from security and privacy ratings to data breach exposure, financial and geographical risk, application security, overdue security artifacts, and more.
Read More: Everything You Need To Know About Continuous Monitoring
2. Custom Questionnaires and Requirements
When a mid-cycle event disrupts your relationship with a vendor, you can simply ask if/how they are vulnerable and what actions they are taking. You can also update your requirements to request for specific compliance or reassurance evidence.
This might sound difficult, but you don’t actually have to email each and every single vendor in your ecosystem and ask. That’s what third party risk management tools are for!
Log4J Vulnerability: The Most Recent Reminder of The Impact of Zero Day Vulnerabilities
Last week, the Department of Homeland Security ordered federal agencies to “urgently eliminate” a security flaw that impacted an unknowable number of entities. The vulnerability resides in the open source Apache logging library Log4j, and it was dubbed one of the most serious of all time because it allows cybercriminals easy, password-free entry to a network.
The Log4J utility is one of the most widely used tools by developers to get reports of their code’s health or performance. In other words, it’s used for debugging or fixing issues that show up in the code developers are writing.
The vulnerability made headlines so quickly because it could be exploited by attackers to easily seize control of nearly everything from industrial control systems to web servers and consumer electronics.
“To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code,” WIRED reported. “From there they can load arbitrary code on the targeted server and install malware or launch other attacks.”
It’s difficult to know how many sites were affected by the Log4j vulnerability, as it’s so widely adopted. Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable.
It is said that this vulnerability will continue to wreak havoc across the internet for years to come. According to an independent researcher, “it will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
So what’s there to do? Install the patch to update Log4j -any internet-facing server that’s vulnerable must be updated.
For some organizations, it may be hard to track down the vulnerable servers, as they don’t have a clear accounting of every program they use and the software components within each of those systems.
To help, the Cybersecurity and Infrastructure Security Agency (CISA) published an open-sourced log4j-scanner derived from scanners created by other members of the open-source community. This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
How Can ThirdPartyTrust Help You Mitigate the Log4J Vulnerability and Other Zero Days
ThirdPartyTrust is a third party risk management automation platform where enterprises and vendors connect to easily complete risk assessments, exchange security documentation, track, and monitor risks.
With flexible fit-for-purpose features, the tool adapts to help you stay ahead of zero days or sudden events like the Log4j vulnerability. The ability to rapidly create and distribute a simple questionnaire among your vendors to manage potential threats can make the difference between business as usual and business continuity issues.
ThirdPartyTrust has developed a brief Log4j Vulnerability Impact Questionnaire that customers can use:
Enterprise users doing TPRM may send out this new questionnaire to their vendors to assess their exposure and the potential impact on their own business. If a vendor is vulnerable, customers can ask for additional requirements and assurances right away, and easily track them. They can also update the category or change the classification of this vendor (i.e. more or less critical, more or less impactful for the business).
Vendors using the platform to respond to risk assessments may complete this new questionnaire as part of their security profile and share it proactively. This will show their customers that they take security seriously and are being diligent to mitigate any vulnerability.
With our network of enterprises and vendors connecting in a single platform, we create a smarter approach to third party risk assessments, where crowd-sourced security reviews drive increased efficiency and visibility.
Let us show you how ThirdPartyTrust can help you reduce risk and stay ahead of mid-cycle events. Talk to an expert today.
Looking for a TPRM tool?
This buyer’s guide can help you find the right tool that will put you on a path to auditable risk management and accelerate your journey to TPRM maturity.
Learn what makes a powerful tool on key aspects like trusted security ratings, operational improvements, integrations, pricing benefits, and industry-specific use cases.
