Shellshock Demands a Managed Response

Shellshock is the latest and possibly most significant IT security vulnerability identified by researchers. I imagine that by now most IT pros have heard of this threat. In a year of unprecedented security events, some may be “tuning out” security. If ever there was an IT vulnerability to not minimize, it’s Shellshock. Heartbleed, a massive security threat in its own right, pales in comparison to Shellshock. IT pros must react immediately to this threat with a diligent and managed response.

Why does Shellshock demand such an immediate response? There are two primary reasons: scope and accessibility. Shellshock is a twenty year old vulnerability in the Bourne Again Shell, typically known as BASH. Most Linux systems, many Unix systems, and all recent OS X systems utilize BASH. That scope is unprecedented! I’m not just talking about Unix and Mac PCs, now. Virtually all “Internet of Things” devices run some variant of Linux. Switches, access points, SANs, and even media sharing devices are impacted. Look around. Odds are a few possibly impacted devices are within arm’s reach.

If it’s not enough Shellshock is lurking in so many devices, what’s making matters much worse is that it’s easily accessible. Practically anyone with rudimentary IT skills has the means to exploit Shellshock. Once exploited, Shellshock can provide an attacker the means to execute virtually any command a user can execute. Installing software, transferring data, launching DDoS attacks are all possible via Shellshock.

The good news is that not every system has BASH enabled by default. If BASH isn’t enabled, it can’t be exploited. Another tick in the “good news” column is that vendors are rapidly releasing patches for everything from print servers to operating systems. The big question is how can IT keep track of everything ensuring their systems are safe? Keeping track of what devices have BASH enabled and which patches are deployed to those devices is a tall order. On top of that, it’s critical to keep an eye open for suspicious activity that might indicate an attacker is trying to exploit Shellshock on your network. The answers are change management and change auditing, plain and simple.

Without effective change management, it’s nearly impossible to keep track of what device has what OS level, what patches are necessary, and which patches have been employed. It’s critical to implement a documented, managed response to threats like Shellshock. Doing so will provide a controlled mechanism for ensuring a vulnerability is addressed, regardless of the device or vendor. Not doing so will practically guarantee some devices aren’t patched properly and the network is at risk.

When it comes to threat mitigation, managing changes is only half the battle. Equally important is keeping a watchful eye trained on the network, monitoring for unexpected changes. Shellshock provides attackers the ability to execute commands. These commands could access network resources, change system settings, or install software. All activities that change auditing would expose. An unexpected change to mail server settings: change auditing will catch that. Unusual file copies across the network: change auditing will catch that too. Installation of unauthorized software such as keyloggers or other malware; yep, change auditing will catch that. The first step in fixing a problem is identifying the problem. Change auditing identifies problems quickly, enabling the fastest response possible.

Shellshock is another in a seemingly endless stream of serious IT system vulnerabilities. It won’t be the last. Every organization will have vulnerable systems. IT must evolve their use of change management to prevent exploitation of vulnerabilities. Enhancing change auditing ensures minimizing the impact of any exploited vulnerabilities. Together, these strategies form the best response to Shellshock and whatever security threat next comes down the pike.

During his 25+ years in the IT industry, John has enjoyed the opportunity to work as a consultant, architect, executive, speaker, and author. He's been involved in multi-national networking, messaging, and communications projects as well as finding solutions for small businesses allowing them to use technology to increase business opportunity and decrease operational complexity. John is a contributing editor for the Petri.com online community as well as senior contributor to Tom’s IT Pro. John has authored material for Redmond Magazine, Netwrix blog, and both Thomson-Reuters' Aspatore Books and Exec Blueprints publications. He also develops exciting technology training courses for the leader in IT training, Pluralsight. John often speaks at IT events around the nation. When he’s not presenting at a conference, John can often be found leading informative webinars. John is proud to be honored as a multi-year Microsoft MVP and for receiving NEOSA’s CIO of the Year Award.