Shellshock: The Biggest Threat of All

The recent Shellshock weakness within the Bash programme has highlighted just how easy it is for a programming error to be exploited with phenomenal global consequences. 

Shellshock is an interesting example of a progamme written years ago using tools, processes and procedures that at the time were acceptable but in today’s climate are riddled with errors.

Given that Linux is an open source system and has become a widely used, because of its ease of use and cost advantages over competitors such as Windows, developers have used it as a foundation to add new and interesting features to. Unfortunately, few developers look back at the source code as if its ‘not broken don’t fix it’.  Bash is one of these applications and has simply been automatically loaded without anyone checking what is happening ‘under the bonnet’.

Shellshock, within Bash, is designed to execute programmes and anyone having access to a machine running Bash can use it to execute good programmes or, in some cases, hacker applications. The patch for Shellshock is now available and server administrators need to update their version of Linux with the new patch immediately.  However, it can take a while for administrators to do such patching and the wide use of Linux within other systems, that may not necessarily be obvious such as telephone systems, network storage devices or old print servers, may be missed.

Another reason why a system may not be patched is because it is running an old proprietary application that may still be critical to the organisation but may not accept the new patch. 

Given that it may take time for all servers to be cleaned the question that needs to be asked is what else can organisations do to protect themselves?

It is understood that you need to have perimeter controls on your network but what many companies fail to take on board is the need to have strong password management. If access was gained to a Linux server and the passwords on it were of sufficient complexity you would not be able to log and fire up Shellshock.

Another area companies fail to consider is comprehensive Active Directory Management. Where people leave organisations, or move departments, changing their AD credentials should be done immediately.  Often they are not as AD management is difficult and adding permissions is easier than to modify.

This means staff have access to data they should not have. If the organisation put in an effective AD management tool then these controls could be handed to department heads who know who should be accessing their data. These systems can be very user friendly and the benefit of increased security and eliminating the risk that a system administration person forgets to make the changes is a big plus point.

A final check that senior management should address is their ability to verify that their IT Department has completed the tasks of upgrading, or patching, any server.  This is especially critical for companies who have outsourced their IT to a third party as the responsibility of protecting data always remains with the organisation and not the outside partner. A way to do this is to independently audit the IT systems and to have high level management reports sent to key executives within the organisation so that they can ask the appropriate questions if there are gaps in the update logs.

It may also be advantageous that these key executives are not linked to the IT Department but for them to be in a governance, legal or finance role as any breach, and subsequent investigation, would fall on these peoples shoulders.   They will need to be seen to have been taking independent action.

In many cases where a server or application has not been patched it could be for valid reasons but at least the question has been asked, replies documented and management have agreed to the risk.  This protects all levels within the business and keeps it compliant.

Although Bash is mainly loaded on Linux servers it is not uncommon for it to  be on Windows Servers and so it is important that this is not forgotten in the frenzy of Linux updates.

Basically, Shellshock is yet another wake up call for all those tasked with the security of data to ensure that they have done the very best they can in ensuring their data responsibilities are met by employing the most up-to-date and robust security systems available to them and properly managing those systems on a daily basis.

By Colin Tankard, Managing Director, Digital pathways


« Steve Jobs: The Tech Bully Poster-Boy


Windows 10 and Microsoft's Reasons to Be Cheerful »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?