ZAG is actively working on identifying and patching integrated vendor systems and applications that leverage the Apache Log4j software.

What is the Log4j vulnerability?

Log4j is “very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information,” according to a bulletin from the Cybersecurity & Infrastructure Security Agency (CISA).

The danger the Log4j vulnerability presents is that an unauthenticated remote actor could exploit this vulnerability to take control of an affected system. Since the software is open-source and widely used, the implications are broad.

What is ZAG doing?

The ZAG team are integrators that almost always manage systems produced by other software manufacturers. We are actively working to resolve these issues as the manufacturers release them. I am confident in saying that we have aggressively led this charge.

Here’s what we’re doing to protect our clients:

• Identifying vendor systems and applications that use the Apache Log4j code
• Patching vulnerabilities through updates released by individual vendors
• Deploying temporary security measures and workarounds released by vendors to protect clients until new versions of software are released

ZAG Business Applications encompass custom-built applications for clients to help streamline processes. The applications ZAG builds don’t rely on Log4j code, but it’s important to point out that any time you use a third-party tool or dependency, you add both the strengths and weaknesses of that solution into your environment. Understanding the risks and conducting your due diligence and business continuity planning goes a long way in preparing your business for potential vulnerabilities and risk.

How does ZAG approach security?

For more than 22 years, ZAG has viewed security as integral to the service we provide to clients. It’s central to the 200+ ZAG Standards that we’ve developed as a guide for our clients. However, it’s only half of the story.

It’s critical for ZAG to possess an advanced understanding of our internal systems as well as what the risk is when supporting our clients and adhering to best practices:

• We protect our clients by protecting our systems with multi-factor authentication (MFA) and SAML authentication.
• We take the approach that everyone will be breached. It’s not “if,” it’s “when,” so you must be prepared for it to happen.
• We practice our due diligence with third-party software and platforms that we leverage to protect and serve our clients, which means that we understand the underlying risks associated and proactively address them.
• We educate clients around the importance of user education with the goal of strengthening processes and behavior to better protect the environment.
• We strive to lower risk by lowering exposure. This means making sure that appropriate access levels are identified and executed, and ensuring critical data is protected.

Do you have additional questions about how ZAG is handling the Log4j vulnerability? Contact us here.