Security Think Tank: Isaca guide on tackling Shellshock

What steps should businesses take to assess the true scope of their vulnerability to the Shellshock Bash bug?

It is important to methodically inventory and scan, evaluate web paths, test logs for keywords, patch, and be vigilant for variants.

Global IT association Isaca recommends a systematic approach to prevent problems. This includes the following key shifts:

- From Maginot Line-style controls to proactive management practices, such as those in the Cobit 5 framework.

- From after-the-exploit inventory to current dependency diagrams (valuable beyond security).

- From narrow risk registers or flat scenarios to dynamic, real world “what if?” scenarios, more like sports or a good film plot. These are vital to staying ahead of attackers.

- From figure-it-out after the common vulnerabilities and exposures (CVE) to train as a team to anticipate and act.

Security managers and CIOs can get ahead with these management practices. Scenario analysis is the heart of risk management and realistic scenarios are born in rigorous workshops.

More on Shellshock

Brian Barnier is a risk advisor with Isaca and partner at ValueBridge Advisors

Read more on Privacy and data protection