Shellshock, Heartbleed – the carnage continues

Publish date:

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines. What’s new and different about these vulnerabilities?  There are two points to make here: The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  […]

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines.

What’s new and different about these vulnerabilities?  There are two points to make here:

  • The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  You don’t just have to worry about external web-based applications; you also have to consider web-based configuration programs that you may not even realise existed.
  • The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones, because they’re cheap and legally unencumbered.  But there’s a down side: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

What should organisations do?

In the short term, you should set up a task to search for, and patch, affected components.  This may need to include services run by outsourced or cloud providers.  If you haven’t done this before, bear in mind that you will probably have to do it again many times over the next few years; try to make it into a repeatable process.

You will probably run into all sorts of non-technical problems, such as obsolete systems with developers who can’t be contacted, or service providers who don’t see why they should take on new work that’s not in their contract.

This brings out two aspects of your IT ecosystem that you may need to be aware of as a security practitioner:  the supply chain (the route whereby software and hardware components get into your IT estate) and the service chain (the set of outsourced and cloud based service providers your organisation relies upon).

When you procure new IT components or services, you need to make sure security is considered right from the start.  Your suppliers must have clear obligations around issues such as right of audit, patching timescales and notification of vulnerabilities.  You’ll need to ensure that open source components are covered properly, too.  If you don’t think about these issues early on, you will create significant costs and risks for your organisation later.

Related Posts

Cybersecurity

Would vaccination passports guarantee data privacy?

Terence Stamp
Date icon December 22, 2020

What regulations should be complied with to protect personal information and reduce the...

Cybersecurity

Schrems II – an overview on how to proceed

Joost Christians
Date icon December 18, 2020

The EDPB introduces a six-step approach that may assist organizations in taking appropriate...

Cybersecurity

Cloud security – a team sport

Leonardo Carissimi
Date icon December 9, 2020

As cybersecurity governance in cloud services becomes complex, key to success in a cloud...