In late September, the world greeted a new cyber-monster―the Shellshock Bug. The threat is a vulnerability in a program called Bash, which executes commands for other programs. Some experts estimate it is embedded into 70% of Internet web sites and that it could conceivably impact millions of systems. On a 10-point severity scale, the National Institute of Standards and Technology rates Shellshock a 10 (Heartbleed is a 5.)
That sounds pretty worrisome, but what does it mean for enterprises and their digital security?
There is no doubt that Shellshock has the potential to be devastating. It allows hackers to gain access to the vulnerable networks, services, desktops and devices of organizations it penetrates, and from there it can essentially turn these components into zombies at the bidding of their masters.
Shellshock is of particular concern because the code that allows this type of control normally requires sophisticated programming. Since the bug exists in a program that already has permission to execute system commands, performing these sophisticated attacks becomes simple―really simple.
With that in mind, reputable security appliance vendors like Barracuda (one of our partners) immediately issued patches that would prevent malicious code from exploiting this bug on their devices. They strengthened firewall protocols and other safeguards to thwart penetration attempts for this beast. Companies, such as InterDev, that provide security monitoring and management services to their customers took similar actions to patch computers, servers, routers, firewalls and other computing appliances using vulnerable versions of Bash.
Does that mean everyone is safe? Certainly not. Companies that do not have robust security protections and run operating systems that use Bash are at risk. Any company that connects to the Internet is at risk, especially if they have not educated their employees about browsing and email security best practices.
In the first four days after the Shellshock flaw went public, one security appliance vendor reported that the attack rate had reached 1,970 attacks per hour. So yes, Shellshock remains a concern. Experts think it will remain one for years, because so many systems run Bash―many of which are embedded systems that cannot be patched or updated.
With that in mind, we recommend that organizations not stop dead in their tracks, disconnect servers from the Internet or take other extreme measures to avoid it. Rather, having a vulnerability assessment right away, then taking proactive measures to implement sensible security protections and policies, is the best way to defend against Shellshock and all its brethren.
Shellshock hasn’t made security any more important―because in this age, it has always been vital. However, it has raised the stakes. To learn more, feel free to email us or give us a call at 770-643-4400 (toll-free: 877-841-8069).