“Shellshock will be a test of business resolve to prioritise security. So much of the data breaches that make headlines today can be traced to old or known vulnerabilities that have not been addressed. Now that shell shock has been revealed, and the door has been thrown open, it will be interesting to see if companies take action.
It is clear that the potential exposure is significant. Linux underpins the majority of webservers, network routers and Apple’s MAC PCs running OS X. It is not clear, however, whether there has been any loss through successful exploitation of the flaw. I fear this will lead to complacency, and consequently, a string of breaches down the line. Hackers and cybercriminals will be counting on it and now actively investing in their opportunities to take advantage of this flaw if they haven’t done already.
What every CISO should be thinking about now is quantifying their exposure. This means identifying those systems that are at risk. There are some simple commands that can be sent to see if the system being tested has this problem. Even though there doesn’t appear to be an available fix at the moment, this will at least identify where to apply it once it is developed.
More importantly, once companies determine which systems have the vulnerability, they have visibility into the functions, and data that are at risk in order to mount an appropriate response. This could be anything from taking systems offline, investing resources into moving functions and data to servers that are not showing the vulnerability, or simply monitoring them more closely as their IT teams thoroughly research developments."
-John Colley, CISSP, Professional Head, (ISC)² EMEA