Discussions

 View Only
  • 1.  Log4j Zero Day Exploit - Vendor Response

    ATLIS Member
    Posted 12-15-2021 03:56 PM

    Last Friday, the cybersecurity community issued an alert for the Log4j vulnerability. This is a crucial vulnerability that you should be reviewing your own risk assessment as well as the online vendors that you use.

    The Wall Street Journal reported this earlier in the week:

    Good Morning, CIOs. Big tech firms are scrambling to patch a flaw in a widely used piece of internet software. The bug, found in server software called Log4j, is easy to exploit and hard to block, experts tell The Wall Street Journal's Robert McMillan, and could be used by hackers to break into corporate networks.

    Why it's dangerous. The flaw, reported late last month to the all-volunteer Log4j development team, gives hackers a way of turning the log files that keep track of what users do on computer servers into malicious instructions that force the machine to download unauthorized software, giving them a beachhead on a victim's network.

    Heartbleed 2? Log4j is distributed free and its users are myriad, including Microsoft Corp.Apple Inc.International Business Machines Corp.'s Red Hat, Oracle Corp. and VMware Inc. It isn't the first time the open-source software has sparked security worries, the WSJ reports. In 2014, internet users world-wide were urged to reset their passwords after another issue-known as Heartbleed-was discovered in OpenSSL, an obscure yet similarly ubiquitous piece of internet software.

    Earlier this week, Daisy Steele (Catlin Gabel) shared a spreadsheet that Buck Crockett (Almaden Country Day School) has made into a public Google Sheet which multiple people have been updating throughout the week with the various different vendor responses. You can access this here:

    ISED Log4j Mitigation v1 12/13/2021

    As each of your finds new information, please take the time to contribute to this collaborative project.



    #ITSystemsandSupport
    #CybersafetyandDataSecurity

    ------------------------------
    Vinnie Vrotny
    Director of Technology
    The Kinkaid School
    vinnie.vrotny@kinkaid.org
    ------------------------------


  • 2.  RE: Log4j Zero Day Exploit - Vendor Response

    Board Member
    Posted 12-15-2021 04:17 PM
    Thank you, Vinnie, for sharing this resource it will be an exceptional timesaver for all of us as we work to mitigate the potential fall out from this massive vulnerability.  Another reason I am so grateful for the ATLIS community. --

    Denise Musselwhite

    Chief Information Officer 

    Trinity Preparatory School
    5700 Trinity Prep Lane | Winter Park, FL 32792

    321-282-2507 | trinityprep.org

    Facebook | Twitter | Instagram| LinkedIn

    Book a Meeting with Me

    Click here to visit TPS Tech Resource Site Available 7:30 am - 4:00 pm M-F (except School Holidays and weekends)


    Confidentiality Notice: The information contained in this e-mail, including any attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error please contact the sender and permanently delete the e-mail and any attachments.
    CAUTION: This is an EXTERNAL email. Do not click links or open attachments unless you recognize the sender and know the content is safe.  





  • 3.  RE: Log4j Zero Day Exploit - Vendor Response

    ATLIS Member
    Posted 12-16-2021 08:55 AM
    Vinnie, 

    Thanks for this blog post.  Its very important we address it. 

    "What I'm most concerned about is the school districts, the hospitals, the places where there's a single IT person who does security who doesn't have time or the security budget or tooling," said Katie Nickels, Director of Intelligence at cybersecurity firm Red Canary. "Those are the organizations I'm most worried about -- small organizations with small security budgets."

    ------------------------------
    Theresa Jay
    Chief Information Officer
    Thayer Academy
    ------------------------------



  • 4.  RE: Log4j Zero Day Exploit - Vendor Response

    ATLIS Member
    Posted 12-17-2021 11:58 AM
    Thanks so much, Vinnie.  Quick question; For the single person IT departments, such as mine, and after looking through this amazing spreadsheet, I was able to see the severity of each vendor.  I guess what I'm wondering is besides leaning on vendors and their work on this issue, which I would assume they are all on top of it if they need to be (maybe too much trust), what has been done internally by people?  We are an entirely cloud-based school with its services/software/databases so we are depending on all of the cloud services to have handled what they need to handle.  Are there any other blind spots that we should be thinking about on end-user devices, Firewalls, etc.?

    Thanks!

    ------------------------------
    Glen Worthing
    Director of Technology
    St. Anne's Episcopal School
    ------------------------------



  • 5.  RE: Log4j Zero Day Exploit - Vendor Response

    Posted 12-17-2021 05:11 PM
    Thanks, Vinnie!

    ------------------------------
    Jennifer Lamkins, Ed.D.
    Coordinator of Member and Technology Support Services
    she/her
    Northwest Association of Independent Schools
    5001 California Ave. SW (Ste. 112), Seattle, WA 98136
    Office: 206-323-6137
    Direct: 206-323-7005
    jlamkins@nwais.org
    ------------------------------