Top Tips: Side-Stepping Shellshocks

08-10-2014-side-stepping-shellshocksBrian Barnier is an analyst and advisor at ValueBridge Advisors and a risk advisor with global association ISACA. He is a co-author of ISACA’s Risk IT Framework, served on the COBIT 5 development workshop team, and is a member of the ISACA Journal editorial panel. Named one of the first three distinguished Fellows of OCEG, he co-chairs the OCEG Steering Committee and co-chairs the ICGN Corporate Risk Oversight Committee. A global businessperson with Finance, Operations and Product Management experience, he has also led teams to nine technology patents.                               

Brian shares his tips on how businesses and IT security professionals can side-step security threats like the Shellshock bug.

The number of security attacks in recent years has grown profoundly. A recent report from Symantec found that the total number of breaches in 2013 was 62% greater than in 2012, with eight of the breaches exposing more than 10 million identities each. Organisations also face an increase in advanced persistent threats (APTs), which infiltrate a system by stealth, can take months or years to detect, and are aimed squarely at commercial gain—typically the theft of credit card information, customer data or proprietary intellectual property. ISACA’s research shows that one in five enterprises surveyed in 2013 has experienced an advanced persistent threat, and 66% feel it is likely they will be the target of an APT attack.

But more recently, security professionals have largely been blindsided by security bugs such as Heartbleed and Shellshock. Shellshock in particular, which enables attackers to gain access to a computer system, has led to widely reported early estimates that at least 500 million machines worldwide are vulnerable to attack. Many security professionals have been asking themselves: ‘Was there a process by which it could have been more easily found?’

The answer is yes – there are three lessons that can enable business and IT leaders to help their security teams get ahead and protect the public from the attack of the high-tech toaster oven.

Shellshock is a popular name for a new security exploit in the UNIX Bash shell (first released in 1989). One meaning of “Bash” is “Bourne again shell” where “Bourne” refers to the shell created by Steven Bourne in 1977 to replace an earlier shell. A “shell” provides a way—originally a command line—for a person to access operating system functions.

Lesson #1: Be “old school” and use what you know to ask “how?” and “why?”

Tech-savvy business and even IT leaders can feel intimidated by new technology. Yet, old school ways of thinking can often help. Shellshock attacks a code gap that seems to be over a decade old. Further, many people forgot that a key feature of the Bourne shell was scripting—similar to scripts for automating simple tasks in word processing and spreadsheet documents.

Scripting should ring a bell as one of the first tools used by hackers. That is why black hat newbies are called “script kiddies.” Script kiddies wanting to do damage with other scripting languages will easily find this group of scripting tools, even in dusty IT books.

The black hat systematic search for knowledge must be answered by your systematic race to find that knowledge first. Controls are the wrong tool for the job.

Lesson #2: Engage in shell games and war games.

“Shall we play a game?” You might have been puzzled by this question from Black Widow to Captain America in Captain America: The Winter Soldier (2014). If you are a film buff, you would remember the question in War Games (1983) posed by the nuclear missile computer to a young gamer played by Matthew Broderick.

The world was saved because Broderick’s character grasped how the code worked. This reminds us to know “how it works,” confirm old code is good code, and “war-game” our way to prevention with the systems-aware 5+2 Risk Management Cycle.

Lesson #3: Evaluate your environment and capabilities.

Step one in the 5+2 Risk Management Cycle is “Evaluating Environment and Enterprise Capabilities.” Business leaders often say “Know your business!” But for IT professionals, it is “know your code,” including the environment variable.

Shellshock amplifies its power from how Bash can be tricked through the environment variable and a bit of scripting—black hats knew the system better than white hats.

The error in so many risk management processes is they skip steps—failing to use the 5+2 Risk Management Cycle to be systematic. This was a key point in the recent workshop at the ISACA San Francisco Chapter.

The 5 continual steps of the 5+2 Risk Management Cycle are:

  • Evaluate the environment and enterprise capabilities—“Know the business.” For security, it is about:
    • “Know your enemy” – including skills, tools and methods.
    • “Know yourself” -- your systems, documented in dependency diagrams, your skills and methods. Importantly it is about constantly learning and training to know yourself and your enemy better than they know you? Sounds like a football strategy – that’s the right attitude. ISACA education can help.
  • Seek scenarios—rigorously ask, “What if?”—the heart of managing risk.
    • Narrow risk registers or simple scenarios leave you vulnerable – not even knowing what you don’t know, which is a very scary place to be.
    • As with evaluation, scenario analysis needs to be robust and dynamic for a real world – better than your enemy’s. Do you have a quarterly 2-3 day risk scenario workshop? Is every Monday morning a scenario update war room meeting?
    • Does each scenario include an actor, action, object, timing, receiving object, impact and consequence statement? Plus, coincidental and distracting information?
    • Managers, do your security teams find role-player computer games more engaging than work? If so, then consider making your security team practice sessions more like those games with their complicated scenarios.
  • Watch for warnings
    • Watching for warnings must follow from “what if?” scenarios to provide as much advance warning as possible and guide in the right response.
    • Without this, watching for warnings can be a waste of time or, worse, dangerous. Why? Just as in a magic trick or sports, you’ll be vulnerable to the fake play – a distraction that will leave you heading in the wrong direction.
  • Prioritise
    • Danger is in prioritizing before rigorous scenarios analysis. This often sidetracks or wastes resources and leaves CISO and CIOs looking foolish to business management after a bad thing happens.
    • Even when CISOs do a good job of balance, CIOs must still be vigilant to balance risk responses across risks related to the business-IT investment portfolio, programme/project management and operations/services delivery, as described in COBIT.
  • Improve position in environment and/or capabilities
    • These are the only two basic ways to respond to a risk. For example, in a thunderstorm, don’t walk outside or get in a car. Organizations often increase their vulnerability when they only use responses related to insuring financial consequences – transfer, accept and such.
    • Business leaders rely on position and capability responses in business competitor risk. Security leaders can do the same against black hats.

The “+2” are about reacting to warning signs and recovering.

  • Through scenario analysis, prevention and response Plan B (and C, D, and E) can be created and ready to go.
  • Importantly, reaction is as much about what NOT to do as it is about what to do.

The 5+2 Risk Management Cycle applies to business strategy and product management as well as cyber war. Thus, business leaders can use a familiar approach to guide their IT teams.

Increasingly sophisticated cybersecurity risks and challenges will always occur in the internet era, but security professionals and businesses must apply their knowledge to prevent attacks. Many security bugs are simply using old technology in new ways so IT security teams must keep ahead of the game to defend against threats. By using the knowledge and tools at their disposal, security professionals can combat sophisticated security attacks before they even come to the surface.


Brian Barnier is an analyst and advisor at ValueBridge Advisors


« Gaza: Weapons for the Besieged


WhatsApp with Your Value as a User? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?