It is important to methodically inventory and scan, evaluate web paths, test logs for keywords, patch, and be vigilant for variants.
Global IT association Isaca recommends a systematic approach to prevent problems. This includes the following key shifts:
- From Maginot Line-style controls to proactive management practices, such as those in the Cobit 5 framework.
- From after-the-exploit inventory to current dependency diagrams (valuable beyond security).
- From narrow risk registers or flat scenarios to dynamic, real world “what if?” scenarios, more like sports or a good film plot. These are vital to staying ahead of attackers.
- From figure-it-out after the common vulnerabilities and exposures (CVE) to train as a team to anticipate and act.
Security managers and CIOs can get ahead with these management practices. Scenario analysis is the heart of risk management and realistic scenarios are born in rigorous workshops.
More on Shellshock
- Security Think Tank: Guidelines for dealing with Shellshock
- Security Think Tank: Lessons from Shellshock
- Security Think Tank: Shellshock – check, patch, monitor
- Security Think Tank: Businesses cannot afford to be complacent about Shellshock
Brian Barnier is a risk advisor with Isaca and partner at ValueBridge Advisors