We have heard a lot of talk about Shellshock. After four weeks of vigorous discussion in the IT industry, it is time to take stock. Can you get by if you do nothing?
To answer the previous question, the answer is "no" – you have to patch your servers as due diligence.
Although Shellshock may not be a significant risk to your datacentre at present, you cannot predict future attack vectors. If a breach does occur using a vulnerability that has been public knowledge for months, you could face a damaging public disclosure.
However, while trying to follow the best practice of patching their most exposed (aka internet-facing) servers first, organisations have often found themselves facing an unanticipated virtual machine (VM) sprawl – hundreds of virtualised Linux servers, with no centralised management and very little scope to identify the root account holder or the system configuration.
In some enterprises, this VM sprawl has left security professionals with almost no way to react quickly – and that is a bigger problem than any single vulnerability.
Shellshock and Heartbleed are just two examples of vulnerabilities in ubiquitous software and software libraries that we use every day, and that are embedded in numerous operating systems and applications in a wide range of devices. Considering the vast amount of software in use everywhere, we are likely to see many more such vulnerabilities in the future.
READ MORE ON SHELLSHOCK from the Computer Weekly Security think tank
In such cases, nothing but the ability to react quickly and to patch high-risk systems will prove useful. IT security professionals are used to doing some predictive assessments, based on impact and likelihood, but here it was no help.
So do not predict, instead add a reactive capability to your security portfolio and make sure your IT is configured in a way that enables you to respond as quickly as possible to new threats.
Nobody can know what ubiquitous vulnerability will arise next, so the ability to react fast will provide the best defence. For those facing this uncomfortable scenario, my advice is to make sure you can react quickly next time.
For Linux systems, consider using traditional IT automation suites, or, if you prefer lean and trendy solutions, look at the DevOps tool chain. This would be a good time to bring in a DevOps master server, deploy an agent on every unmanaged Linux system, and make these agents part of all Linux VM offerings in your virtual environment.
Then, next time, you will be able to assess the configuration of your systems within minutes, and be quicker in applying and verifying required patches.
Be reactive. Be fast.
Joerg Fritsch is a research director at Gartner.