What did I learn from the Log4j vulnerability? ๐Ÿ›

What did I learn from the Log4j vulnerability? ๐Ÿ›

Firstly, if you are not 100% sure what Log4j is, you might find this article from the NCSC interesting: https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know.

When the Log4j vulnerability was announced, there was a lot of scrambling around from Italik and some of our customers as we were trying to ascertain whether we were impacted by the Log4j vulnerability or not. Thankfully, the NCSC started a GitHub page that would list all known software vendors that were impacted by Log4j: log4shell/software at main ยท NCSC-NL/log4shell (github.com). We kept a very close eye on this list, as well as contacting all of our main software vendors to ensure that they were doing everything to see if they were impacted.

๐ŸŽฏ How were Italik & our customers impacted by Log4j?

It turns out that the vast majority of our customers were not impacted by Log4j, but we did find a couple of areas that were impacted internally within Italik as some of the existing software stacks that we use were vulnerable.

We found the information within the NCSC GitHub page (linked above), and also we use a tool that we resell called RocketCyber which is a SOCaaS tool: SOCaaS | Italik IT Consultancy. A small lightweight agent deployed on all of our endpoints triggered a few alerts for some vulnerable software stacks that we were aware of, but also some that we weren't aware of. For example, I had the PowerAutomate app installed from the Windows Store on my Windows 11 Laptop, and that was detected as being vulnerable. Having never used the app, I immediately removed the app from my Laptop and deleted the vulnerable files that were found. Having a tool like RocketCyber gives me piece of mind that our estate is safe from the Log4j vulnerability, and it was nice to have the tool confirm what we already knew about the vulnerable software.

For our customers, the main issue with the Log4j vulnerability was due to the Cisco ISE product set being vulnerable. As soon as a patch was released, we then got on with the long task of upgrading ISE to the appropriate release.

๐Ÿ“– What have I learnt from Log4j?

Well, to be honest, I think we could have coordinated communicating to our customers more coherently. We had several customers asking the same question about Log4j and if they were vulnerable, which resulted in our Helpdesk being inundated with service desk tickets. One thing we have done on the back of this is to create an advisories page so that we can put notices out like the Log4j security incident instantly, and our customers will know where to look for any updates. This will be used to publish what we are doing internally, and how it impacts our customers. The result is that it should improve the customer experience, and hopefully give the customer an ongoing runbook of what has occurred.

Italik are security-based MSP, and one thing we take seriously is the security of our internal systems and customers which is one reason why we take a layered approach to security. Having multiple tools like RocketCyber, Webroot AV + Web Filtering, means that we can ensure that all endpoints are secure and if there is an incident, we can reactively look back through device logs within tools like RocketCyber.

If you want to find more information on SOCaaS, then head over to our page here: SOCaaS | Italik IT Consultancy. We also have a YouTube video available if you want a quick 15 minute demo of the solution: https://youtu.be/fPX42XIlIXk