Security Think Tank: Isaca guide on tackling Shellshock

What steps should businesses take to assess the true scope of their vulnerability to the Shellshock Bash bug?

It is important to methodically inventory and scan, evaluate web paths, test logs for keywords, patch, and be vigilant for variants.

Global IT association Isaca recommends a systematic approach to prevent problems. This includes the following key shifts:

- From Maginot Line-style controls to proactive management practices, such as those in the Cobit 5 framework.

- From after-the-exploit inventory to current dependency diagrams (valuable beyond security).

- From narrow risk registers or flat scenarios to dynamic, real world “what if?” scenarios, more like sports or a good film plot. These are vital to staying ahead of attackers.

- From figure-it-out after the common vulnerabilities and exposures (CVE) to train as a team to anticipate and act.

Security managers and CIOs can get ahead with these management practices. Scenario analysis is the heart of risk management and realistic scenarios are born in rigorous workshops.

More on Shellshock

Brian Barnier is a risk advisor with Isaca and partner at ValueBridge Advisors

This was last published in November 2014

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...