Information Security

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Good Morning Shelly,

Fannie Mae is aggressively assessing our internal and external impacts to the Log4j event.  If you would like information on the status of our efforts for this cyber event, or future events, please email us at [Email removed by Community Manager for privacy reasons. Message the community member directly for email].  As is typical, we have a standard message at the ready that we are happy to share.  

Heather 

 

------------------------------
Heather Flewallen
Director, Third Party Risk Management
Fannie Mae
------------------------------

Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Thanks so much Heather- that is extremely helpful!

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 12-15-2021 08:26 AM
From: Heather Flewallen
Subject: Log4J Vulnerability

Good Morning Shelly,

Fannie Mae is aggressively assessing our internal and external impacts to the Log4j event.  If you would like information on the status of our efforts for this cyber event, or future events, please email us at [Email removed by Community Manager for privacy reasons. Message the community member directly for email].  As is typical, we have a standard message at the ready that we are happy to share.  

Heather 

 

------------------------------
Heather Flewallen
Director, Third Party Risk Management
Fannie Mae

Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

At FHLB SF, weekend was internally focused on identification/assessment and patching.  Monday was Vendor focus on all Critical and High IT services providers.   Impact assessment and mitigation questionnaire sent, ~75% response rate so far of those about a 1/3 not impacted at all, 2/3 patch deployed, and 1/3 still assessing impact but at the moment no impact.

Many of the vendors declined the questionnaire and provided canned response and the big guys like Workday, Oracle, etc.. sent us to their public Log4j Security Blog page for assessment and continued updates. 

Hope this helps

- Dave
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

are you willing to share your questionnaire that you sent out?
Original Message:
Sent: 12-15-2021 09:03 AM
From: Dave Ireson
Subject: Log4J Vulnerability

At FHLB SF, weekend was internally focused on identification/assessment and patching.  Monday was Vendor focus on all Critical and High IT services providers.   Impact assessment and mitigation questionnaire sent, ~75% response rate so far of those about a 1/3 not impacted at all, 2/3 patch deployed, and 1/3 still assessing impact but at the moment no impact.

Many of the vendors declined the questionnaire and provided canned response and the big guys like Workday, Oracle, etc.. sent us to their public Log4j Security Blog page for assessment and continued updates. 

Hope this helps

- Dave
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Original Message:
Sent: 12/17/2021 3:53:00 PM
From: Ashley Kelley
Subject: RE: Log4J Vulnerability

are you willing to share your questionnaire that you sent out?
Original Message:
Sent: 12-15-2021 09:03 AM
From: Dave Ireson
Subject: Log4J Vulnerability

At FHLB SF, weekend was internally focused on identification/assessment and patching.  Monday was Vendor focus on all Critical and High IT services providers.   Impact assessment and mitigation questionnaire sent, ~75% response rate so far of those about a 1/3 not impacted at all, 2/3 patch deployed, and 1/3 still assessing impact but at the moment no impact.

Many of the vendors declined the questionnaire and provided canned response and the big guys like Workday, Oracle, etc.. sent us to their public Log4j Security Blog page for assessment and continued updates. 

Hope this helps

- Dave
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

This message was posted by a user wishing to remain anonymous

Would someone be willing to share a basic questionnaire that we can send out to our vendors?
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Shared Assessments has developed a scoping tool that might be helpful if you are looking for a template.

Log4j Vulnerability Resources - Shared Assessments

We approached it with a very broad request versus a questionnaire.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 12-15-2021 09:24 AM
From: Anonymous Member
Subject: Log4J Vulnerability

This message was posted by a user wishing to remain anonymous

Would someone be willing to share a basic questionnaire that we can send out to our vendors?
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

For anyone who sends out questionnaires to vendors for situations like this, do you see a lot of response to the questions?  The vendors that we are reaching out to have access to PII / are critical and high risk and in my experience, they almost never respond to the questions, but instead provide a blanket statement.  I'd be interested in finding out if others have any luck with the questionnaire-type response.
thanks!
Original Message:
Sent: 12-17-2021 11:48 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Shared Assessments has developed a scoping tool that might be helpful if you are looking for a template.

Log4j Vulnerability Resources - Shared Assessments

We approached it with a very broad request versus a questionnaire.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-15-2021 09:24 AM
From: Anonymous Member
Subject: Log4J Vulnerability

This message was posted by a user wishing to remain anonymous

Would someone be willing to share a basic questionnaire that we can send out to our vendors?
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Hi - 

Like most of us here, we have a large vendor pool so we had to limit the questionnaire to our high / medium risk vendors in specific industries (Healthcare, Financial, SaaS, etc). To make sure that we are not adding additional work on our vendors plate during a time as such, we took a tiered approach with our Log4J questionnaire. Parent question asked if they had been impacted (Y/N), If No = questionnaire is over and we thank them for completing the questionnaire. If Yes, we only ask two additional questions. 

While I am sure most of us in this community are taking this approach, we have found that this has worked for us with a high return rate. So far, we have achieved a 56% completion rate and expected to have the rest of our vendor population completed in the next couple days. 

Even though we have had a high completion rate, it goes without saying that we did receive a handful of canned responses or links to our site and will just use that information to complete our internal process so it can all be recorded.

------------------------------
Thanks,
JP
------------------------------

Original Message:
Sent: 12-21-2021 03:55 PM
From: Laure Slezak
Subject: Log4J Vulnerability

For anyone who sends out questionnaires to vendors for situations like this, do you see a lot of response to the questions?  The vendors that we are reaching out to have access to PII / are critical and high risk and in my experience, they almost never respond to the questions, but instead provide a blanket statement.  I'd be interested in finding out if others have any luck with the questionnaire-type response.
thanks!
Original Message:
Sent: 12-17-2021 11:48 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Shared Assessments has developed a scoping tool that might be helpful if you are looking for a template.

Log4j Vulnerability Resources - Shared Assessments

We approached it with a very broad request versus a questionnaire.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-15-2021 09:24 AM
From: Anonymous Member
Subject: Log4J Vulnerability

This message was posted by a user wishing to remain anonymous

Would someone be willing to share a basic questionnaire that we can send out to our vendors?
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization.  We document the responses and work with the InfoSec team to share information and updates.  About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits.  The remainder are in process completing their reviews so we are actively monitoring.

I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie.  We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Passing this link for GitHub on as this is always helpful information

GitHub - cisagov/log4j-affected-db

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

This is very helpful, thank you!

------------------------------
Sheila Freyou

Director, Vendor Management
Celebrity Home Loans, LLC
------------------------------

Original Message:
Sent: 12-15-2021 10:07 AM
From: Michelle Chase
Subject: Log4J Vulnerability

Passing this link for GitHub on as this is always helpful information

GitHub - cisagov/log4j-affected-db

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Looking forward, we are looking at the use of things like this open-source logging library. The major problem with Log4J is that it suffers from code bloat. This was all done to support just grabbing this library and using it for all your logging needs. It really has not been well maintained nor has it undergone a security code scrub to look for exploitable vulnerabilities. I do not want you to think that I am necessarily knocking the Apache org for this because all-in-all the community takes pretty good care of the code and code libraries. 

The really good news here is that there have been no instances or exploits that might pollute the supply chain (aka SolarWinds). This is why it has been fairly quiet on the TPRM front. And there are now several groups taking a hard long look which led to the realization that there are things in vers. 2.15 that need to be fixed. And that there is a vers. 2.16 that fixes these issues. 

We have the happy task of not just responding to all our customers while we address this issues in our products but also looking for the library in the products and services we resell. It will take a while to reconcile all this. 

So, on our end, we are making changes to our open-source use processes to pare down these libraries to just what is needed and nothing else. Also, to add testing for these kinds of vulnerabilities.
Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?

Original Message:
Sent: 12/17/2021 5:31:00 PM
From: Mark Eden
Subject: RE: Log4J Vulnerability

Looking forward, we are looking at the use of things like this open-source logging library. The major problem with Log4J is that it suffers from code bloat. This was all done to support just grabbing this library and using it for all your logging needs. It really has not been well maintained nor has it undergone a security code scrub to look for exploitable vulnerabilities. I do not want you to think that I am necessarily knocking the Apache org for this because all-in-all the community takes pretty good care of the code and code libraries. 

The really good news here is that there have been no instances or exploits that might pollute the supply chain (aka SolarWinds). This is why it has been fairly quiet on the TPRM front. And there are now several groups taking a hard long look which led to the realization that there are things in vers. 2.15 that need to be fixed. And that there is a vers. 2.16 that fixes these issues. 

We have the happy task of not just responding to all our customers while we address this issues in our products but also looking for the library in the products and services we resell. It will take a while to reconcile all this. 

So, on our end, we are making changes to our open-source use processes to pare down these libraries to just what is needed and nothing else. Also, to add testing for these kinds of vulnerabilities.
Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability

Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them).  Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?