Sep 29 2014

The Bash Bug Is the New Normal, So Organizations Must Prepare

The latest software vulnerability, also called the “Shellshock” bug, is deemed by some to be a bigger threat than Heartbleed.

Nothing spooks the Internet quite like the news of a major, previously undetected or unnoticed software vulnerability.

When Heartbleed — the bug that left implementations of Secure Sockets Layer open to attack — first appeared, many people panicked, as SSL is a prominent and widely used standard for securing web communications. It’s particularly important in financial services, where customers of banks, credit unions and other institutions need a sense of security to feel comfortable performing transactions.

As frightening as Heartbleed was (as many as 1.2 billion passwords were compromised), some experts have said the Bash bug (also known as the Shellshock bug) makes “Heartbleed look insignicant.”

One of the more troubling aspects of Shellshock is that security analysts and vendors are already seeing the vulnerability being exploited. But what makes the bug especially worrisome is that it allows hackers to make Bash shell commands in Linux and Unix — environments favored by many web servers.

The following types of attacks have already been carried out as a result of the Bash bug, according to Larry Seltzer of ZDNet:

  • Malware droppers
  • Reverse shells and backdoors
  • Data exfiltration
  • DDoS

There are patches available to mitigate and minimize damage, but there are important lessons to be learned from all this as well.

The Response to Shellshock Can’t Be a One-Off

The effect of a widespread bug like the Bash bug can be unsettling, but the reality of modern IT means that such threats are going to become more commonplace.

In an article for the Harvard Business Review blog, associate professor Karim Lakhani takes organizations to task and warns that the threats they face aren’t going away anytime soon. That’s why more organizations need to behave as if hacks or breaches can happen anytime — because they can. More important, threats to corporate IT aren’t just the responsibility of the network admins. Everyone, including the company’s executives, needs to be invested in protecting and ensuring corporate data security.

Lakhani elaborates on how organizations need to stand up response teams to combat these threats:

[O]rganizations need to create an emergency response team and plan that can swiftly react and solve problems once vulnerabilities are detected. It should work like any effective emergency preparation: Executives should plan for worst-case scenarios and run their organizations through the drills to ensure that they’re ready to handle problems as they may arise. Experience has shown that this can’t be relegated to the lower levels of the IT organization. Instead executives from all functions need to be involved in the response plan.

In the same way that some like to argue that “every company is a tech company,” you could say that every company executive needs to be an IT security professional.