Shellshock Retrospective: What We Can Learn

By now most organizations have started to recover from the fire drill of their incident response process that the shellshock vulnerability caused. Servers are patched, applications are upgraded, and security technologies have been updated to look for attacks meant to exploit the vulnerability in the GNU BASH (Bourne Again Shell) code. As the dust settles it’s time to look at how our organizations responded and what we, as an industry, can do better when the next vulnerability or attack hits.

Read the Shellshock blog article

 For many organizations the response to the shellshock vulnerability was much faster than the response to Heartbleed a few months earlier. This indicates a couple of key changes occurring within IT security organizations. First, to respond to Heartbleed organizations were forced to react to a wide scale threat that resulted in the formation, or refinement of an incident response plan. The knock on effect was that when Shellshock hit, organizations were in a much better position to react quickly. Additionally many organizations took a look at their security detection and response capabilities after Heartbleed and began adding and/or updating their tools to fill in the gaps that became apparent during their Heartbleed response.

 To ensure that you are prepared for the next vulnerability and/or wide scale attack now might be a good time to review this security best practices checklist:

  1. SECURE YOUR CODE: Hackers are continually looking for ways to compromise your applications. Code that has not been thoroughly tested and secure makes it all the more easy for them to do harm. By testing your libraries, scanning plugins and the like you can save yourself headaches down the road.
  2. CREATE ACCESS MANAGEMENT POLICIES: Logins are the keys to your kingdom and should be treated as such. Make sure you have a solid access management policy in place, especially concerning those who are granted access on a temporary basis. Integration of all applications and cloud environments into your corporate AD or LDAP centralized authentication model will help with this process.
  3. ADOPT A PATCH MANAGEMENT APPROACH: Unpatched software and systems can lead to major issues for your organization. Keep your environment secure by outlining a process where you update your systems on a regular basis. Test all updates to confirm that they don’t damage or create vulnerabilities before implementation into your live environment.
  4. REVIEW LOGS REGULARLY: Log review should be an essential component of any organization’s security protocols. Take the time to review your logs — you never know what you might uncover.
  5. BUILD A SECURITY TOOLKIT: No single piece of software is going to handle all of your security needs. Be prepared for the unexpected by having the tools you need already in your arsenal.
  6. STAY INFORMED OF THE LATEST VULNERABILITIES THAT MAY AFFECT YOU: The Internet is a wealth of information; use it to your advantage. Search for the breaches and exploits that are happening in your industry. You can take lesson from that breach to protect your environment so that you don’t become the next victim.
  7. UNDERSTAND YOUR CLOUD SERVICE PROVIDERS SECURITY MODEL: Security in the cloud is a shared responsibility. Get to know your provider, understand where the lines are drawn, and plan accordingly.

Cyber attacks are going to happen, vulnerabilities and exploits are going to be identified. By having a solid security in depth strategy, coupled with the right tools and people that understand how to respond you will put you into a position to minimize your exposure and risk.