News / The real lessons from Shellshock and Heartbleed

The real lessons from Shellshock and Heartbleed. 

Patches continue to arrive in businesses’ update packages, but it looks as though the worst of the Shellshock security issue is behind us. Likewise the Heartbleed flaw identified in the ubiquitous OpenSSL cryptographic software library.

As every IT professional knows all too well, these were simply two more security issues in an unending stream of issue highlighted by the press. Granted, they involved long-trusted pieces of IT plumbing that many thought were safe from attack. But we recognise that other – potentially far more serious – flaws, bugs, and vulnerabilities emerge from the woodwork almost weekly.

Just taking a recent example announced on October 15th, the Drupal CVE‑2014‑3704 flaw could affect far more businesses than Shellshock, which is largely restricted to the Linux, Unix and Apple iOS platforms. A threat to the popular Drupal content management system can hardly be ignored.

Some businesses can continue to deal with such threats reactively, of course. Quite possibly, that’s the approach that your organisation takes.

But at ACSN, we’ve long argued that it makes more sense to take a proactive approach. Because if it sees that if popular tools such as OpenSSL, Bash scripting, and Drupal are vulnerable, then almost anything might be.

So what might that proactive approach look like? Here, offered in the spirit of a ‘self-audit’, are three key building blocks to look for.

Test for vulnerabilities.

Are we exposed? That’s the instant, panicky reaction of many businesses when a new security flaw is announced. The trouble is, it’s a question that many of them aren’t equipped to answer.

With Shellshock, for instance, it’s easy to say: “We’re a Windows shop; it doesn’t affect us”. But it’s a lot less easy to be sanguine about equipment such as Network Attached Storage devices and routers, which might – or might not – be running under Linux, or one of the open source Unix-like BSD platforms.

Even so, it’s a specific vulnerability, which can be specifically tested for. But we’ve learned that many businesses simply have no idea what vulnerabilities are out there; far less if they’re exposed or not.

“The price of liberty is eternal vigilance,” goes a saying often attributed to Thomas Jefferson.

So is your business equipped to undertake that eternal vigilance?

Actively monitor vulnerable infrastructure.

It’s a fallacy that attacks leave no footprints: they do. And watching out for these footprints can provide a valuable early warning that attacks are being made, and that vulnerabilities are being probed.

Where are these footprints? In the event logs of web servers, routers, firewalls and other pieces of IT infrastructure.

And – simply put – if those event logs suddenly contain a lot of curious errors and activity, then you can be fairly sure that someone is trying to exploit a vulnerability.

Yet, as we all know, most companies never look at these logs – even when they are the surest sign that an attack is underway.

Is such active monitoring part of your routine? If not, it really should be.

Develop a response capability.

When security scares arise, you can rely on software companies, hardware vendors, and – where relevant – the open source community to post patches and fixes. It’s exactly what has happened with Shellshock, Heartbleed and now the Drupal CVE‑2014‑3704 flaw.

But can you afford to wait? Increasingly, the answer is no: the time lag between a vulnerability being identified, and subsequently exploited, is shrinking fast.

So it’s important to invest in developing the plans and resources that are required in order to be able to apply ‘quick and dirty’ fixes to prevent vulnerabilities being exploited, until the appropriate patches and fixes come through.

As we all know, it’s not difficult. Router rules, firewall rules, IPS rules – tweaks to these are usually sufficient. But what’s important is having the resources to make those tweaks. And in our experience, those resources are rare in a large number of organisations.

So if that sounds like a problem in your organisation, then it’s maybe time to think about outsourcing the task to an organisation which does have the capability.

The bottom line.

A year from now, the present crop of security vulnerabilities will be history. Instead, organisations will be engaging with different, newer security scares.

Many will doubtless be doing so reactively, as now. But a growing number of organisations are seeing the light, and approaching IT security more proactively.

Here at ACSN, we think that this is good news.

Because, we believe, this is by far the better – and more secure – approach to take to these threats. And with that, you’ll surely agree.

If you need any advice or assistance with your IT security then please get in touch.

  • PLUS
  • Certified Information Systems Security Professional
  • PCi
  • Information Security Management System - ISO Certified
  • Cisco Certified CCIE
  • Centre for Internet Security
  • TOGAF 9
  • HM Government G-Cloud Supplier
  • crest

Get in touch