The vulnerability management process is one of the most important, most difficult and most badly implemented. This toxic combination provides for a seemingly endless stream of news headlines about data breaches.
Recently, there have been quite a few high-profile vulnerabilities discovered that attracted the attention of mainstream media. The biggest one has been a Shellshock vulnerability.
The Common Vulnerability Scoring System base score for Shellshock is the highest possible – 10 – which indicates its criticality. That is because it is very easy to exploit and allows for remote code execution of arbitrary code.
For CIOs that want to know the extent of the problem, a good documentation of the network and system is rather key. A vulnerability scan of the systems is also very important. This should highlight Shellshock vulnerability.
More on Shellshock
- Security Think Tank: Shellshock – check, patch, monitor
- Security Think Tank: Lessons from Shellshock
- Security Think Tank: Patch Shellshock vulnerability without delay
- Security Think Tank: Isaca guide on tackling Shellshock
- Security Think Tank: Three-pronged approach to cloud security
- Security Think Tank: Guidelines for dealing with Shellshock
However, a vulnerability scan that is done without logging into scanned systems can only reveal the partial picture. Hence, it's strongly suggested to use full potential of the scanning tool and doing an authenticated scan.
When it comes to fixing the Shellshock issue, the patch is very easy and well documented. Yet, applying this in a large network this can be a gigantic task. Big organisations should use a triage process in vulnerability management.
Take vulnerability data, network topology, firewall rules and asset criticality, and place it in a model that will calculate where to prioritise efforts.
For example, a server in a demilitarised zone which has Apache but not computer-generated imagery in use can wait a bit longer for a patch, compared with a secure-shell server used as a management jump server for system admins and third parties.
Moreover, an attempted Shellshock attack can be very easily detected by a host or network intrusion detection system. Set it up to look for an attack and act accordingly.
Vladimir Jirasek is chief technology officer at Knightsbridge Contego