Shellshock, Heartbleed – the carnage continues

Publish date:

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines. What’s new and different about these vulnerabilities?  There are two points to make here: The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  […]

There have been several significant security vulnerabilities announced in the last few weeks, with Heartbleed in web servers and Shellshock in shell command lines.

What’s new and different about these vulnerabilities?  There are two points to make here:

  • The vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  You don’t just have to worry about external web-based applications; you also have to consider web-based configuration programs that you may not even realise existed.
  • The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones, because they’re cheap and legally unencumbered.  But there’s a down side: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

What should organisations do?

In the short term, you should set up a task to search for, and patch, affected components.  This may need to include services run by outsourced or cloud providers.  If you haven’t done this before, bear in mind that you will probably have to do it again many times over the next few years; try to make it into a repeatable process.

You will probably run into all sorts of non-technical problems, such as obsolete systems with developers who can’t be contacted, or service providers who don’t see why they should take on new work that’s not in their contract.

This brings out two aspects of your IT ecosystem that you may need to be aware of as a security practitioner:  the supply chain (the route whereby software and hardware components get into your IT estate) and the service chain (the set of outsourced and cloud based service providers your organisation relies upon).

When you procure new IT components or services, you need to make sure security is considered right from the start.  Your suppliers must have clear obligations around issues such as right of audit, patching timescales and notification of vulnerabilities.  You’ll need to ensure that open source components are covered properly, too.  If you don’t think about these issues early on, you will create significant costs and risks for your organisation later.

Related Posts

Cybersecurity

Is your Operational Technology (OT) environment insider safe?

Dan Leyman
Date icon September 8, 2020

Organizations need to exercise due diligence and care to ensure their vendors, contractors,...

Cybersecurity

Unlocking the power of AI and SOAR for end-to-end cybersecurity

Geert van der Linden
Date icon September 3, 2020

For AI to work effectively, organizations need to build a roadmap that addresses...

Cybersecurity

Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...