The Shellshock/Bash flaw will be persistent for several years, and will divide security professionals who know and do not know UNIX systems.
Speaking to IT Security Guru, CISO and GiveADay founder Amar Singh believes that not many people will understand the complexity of the flaw. “Those who know Windows will not understand Bash unless they have worked with UNIX for two to three years, and a lot of CISOs’ only experience has been with Windows,” he said.
“The majority of CISOs and CIOs have no clue what UNIX is; it is a boring black screen that engineers use. The sad reality is not many CISOs know why they are fixing it either. As they don’t understand it that urgency may not exist, and that is why this is a catastrophic vulnerability.”
Singh said that this is bigger than Heartbleed, as that only related to SSL, but Bash is common everywhere and Linux has Bash in it also.
John Colley, professional head for EMEA at (ISC)2 said that Shellshock will be a test of business resolve to prioritise security.“Now that shellshock has been revealed, and the door has been thrown open, it will be interesting to see if companies take action,” he said.
“I fear this will lead to complacency, and consequently a string of breaches down the line. Hackers and Cyber criminals will be counting on it and now actively investing in their opportunities to take advantage of this flaw if they haven’t done already.”
Colley claimed that every CISO should be thinking about quantifying their exposure, specifically identifying those systems that are at risk. He said: “More importantly, once companies determine which systems have the vulnerability they have visibility into the functions, and data that are at risk, and can mount an appropriate response.
“This could be anything from taking systems offline, investing resources into moving functions and data to servers that are not showing the vulnerability, or simply monitoring them more closely as their IT teams thoroughly research developments.”
Singh agreed with Colley, saying that this is where the CISO will be put to the test as this is not something that can be fixed urgently; it requires a huge exploratory period and that can get very boring if it is not prioritised. He said: “How many Heartbleed fixing plans have been completed?
“I know so many are running old Sun Microsystems boxes, how do you prioritise, and having the ability to respond to a breach before it becomes an incident is really critical. The ability for a CISO to call on resources and respond to an incident before it becomes a breach, at the moment there are noises but nothing certain yet.”
Singh agreed on the need for a proper incident response plan, as “this is will be a gift that keeps on giving for many years, possibly longer than Heartbleed ever will.”