Security Think Tank: Businesses cannot afford to be complacent about Shellshock

What steps should businesses take to assess their vulnerability to the Shellshock Bash bug and patch vulnerable systems?

The potential exposure of the Shellshock bug is undoubtedly significant. Linux underpins the majority of web servers, network routers and Apple Macs running OS X. 

Despite its prominence, there have been relatively few stories around its exploitation, which could lead to complacency. Businesses need to ensure that they do not become victims of breaches later down the line and protect themselves as a matter of priority.

Recent research has shown that criminals are exploiting Shellshock for malicious purposes, so it is imperative that businesses take action.

IT departments need to quantify their exposure to the Shellshock bug and identify the systems that are at risk. There are some simple commands, which are widely publicised on the internet, that can be used to see if the system being tested is vulnerable. 

A number of patches have been issued to reduce the impact of this vulnerability. These patches should be applied, but not all patches protect against all of the exploits that are being developed.

It is important, therefore, that intelligence is gathered about the status of each patch and what exploits it protects against. 

As new patches are developed, they also should be applied to affected systems. IT departments should continue to test their systems against new exploits as they are developed and reported on the internet.

READ MORE ON SHELLSHOCK from the Computer Weekly Security think tank

Those systems that are still vulnerable should be the subject of further consideration in terms of what can be done to mitigate or reduce the risk they represent. 

For example, businesses could take systems offline, invest resources into moving functions and data to servers that are not showing the vulnerability, or simply monitor them more closely as their IT teams thoroughly research developments and await patches that will eventually provide a solution to this problem.​

Finally, it is worth noting that the scale of Shellshock is such that security professionals have the opportunity to go above and beyond the direct tactical fix to assess risk and find weakness across their entire IT infrastructure. It may well be worth moving forward planned reviews of overall security stature or intended investments for improvement.

John Colley is managing director Emea for (ISC)2.

Read more on Hackers and cybercrime prevention