I’m sure you’ve all heard of Shellshock by now? If not, it’s a security flaw in Bash that allows attackers to take control of systems. Bash is really an acronym/pun meaning “Bourne-again shell” that was written as a free software replacement for the Bourne shell that preceded it. It is a UNIX shell that acts as a command processor and also reads commands from scripts. The problem is that Bash is present in all kinds of things including Web servers and operating systems. This is a very serious flaw! Worse than any other code vulnerability I can name off hand. There are several serious exploits already extant in the wild. Hundreds of millions of devices and credit cards are at immediate risk of compromise across the globe. Institutions are strongly recommending that people not use their credit cards to make Internet purchases for at least the next several days. Imagine the loss in revenue and buyer confidence this is going to cause! Productivity may well go down and prices may well go up as a consequence of this flaw.
Luckily there are good patches already available to combat this glitch, and I’m sure additional fixes and tweaks are in the offing. But to have any level of safety you need to patch everything on your network that is vulnerable, and you need to do it quickly. Do you know exactly what devices are a part of your network and exactly what operating systems, software and firmware versions are installed on them? Specifically, do you know where Bash is running? If you don’t, you may install patches furiously over the next few days and still end up being vulnerable without knowing it. Can you in all good conscience assure your Web customers that their transactions and private information are safe?
Shellshock may have one hidden benefit though; it may be the cold dose of reality that causes organizations to finally get serious about information security and adopt best practices security recommendations, especially where inventories of devices and software are concerned. There is a reason why guidance such as the MSI 80/20 Rule of Information Security and the Top 20 Critical Controls for Effective Cyber-Security list making inventories their number one information security project. If you don’t know what you have, how can you possibly secure it?!
Right now, if you are among the prescient few who do keep complete dynamic inventories, ensure that input to all available software fields is validated and have configured each device on your network with a unique admin password, you are sitting pretty! You have the knowledge and time necessary to deal with this problem, and will probably earn kudos and market share from you customers. Isn’t that kind of assurance worth spending some time and money on America?
This blog post contributed by John Davis.