How to Mitigate Shellshock RisksSecurity Leaders Outline Response Strategies
As news of the freshly discovered Bash bug known as Shellshock continues to spread, CISOs in all sectors are taking steps to mitigate the risks posed by the vulnerability. Similarly, industry associations have ramped up dissemination of alerts related to the bug.
Shellshock potentially makes millions of systems vulnerable to remote takeovers because of a flaw in Bash, a Unix shell (see: Shellshock Bug: How to Respond).
The bug allows attackers to execute shell commands remotely, which would allow them to take control of a system, dump all data stored on the system, as well as launch automated worms that could use the vulnerability to exploit every Bash-using system inside a network.
Banks Working to Understand Threat
The Federal Financial Institutions Examination Council on Sept. 26 issued an alert, urging banking institutions to act quickly to address the Shellshock vulnerability.
"Financial institutions and their service providers should assess the risk to their infrastructures and execute mitigation activities with appropriate urgency," the FFIEC says. That assessment should include identifying all servers, systems and appliances that use the vulnerable versions of Bash and follow appropriate patch management practices.
Banks relying on third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action, the FFIEC says (View the FFIEC Shellshock Vulnerability Alert).
The first priority for financial institutions is to understand the threat and where vulnerabilities may exist within their environments, including systems and devices, says Doug Johnson, senior vice president of risk management policy for the American Bankers Association.
"Institutions are talking to their third parties because it's clear both from a business standpoint and with regulatory concerns that there's a lot of interest in making sure third parties are also patching their systems," Johnson says. "There's been a lot of active communication across the industry that has been very helpful to ensure all types of institutions have the same level of information for them to patch their systems."
The ABA has put out materials for members to help them both understand Shellshock and how to communicate with their management, customers and employees about the threat and what the individual institution is doing to counteract it, Johnson says.
For institutions that identify vulnerabilities, they should be treated as suspect and isolated per incident response procedures, says Neira Jones, an independent cybercrime and payments fraud advisor. "[Banks] should also really be prepared to change passwords and revoke or reissue certificates with private key components stored on any compromised devices, as well as potentially disabling other embedded systems and network devices which by their very nature could be difficult to patch," Jones says.
A vulnerability with a US-CERT score of 10 certainly got PeaceHealth's attention, says Christopher Paidhrin, security administration manager in the information security technology division at the healthcare delivery system in the Pacific Northwest. "We try not to be alarmist in our notifications, but [this] gets our attention and our engagement," he says.
After learning about the vulnerability, Paidhrin says PeaceHealth followed its standards-based internal incident response protocols. Those protocols include notifying key system and application stakeholders; and tasking server farm leadership with reviewing current remediation plans and how their plans might be modified.
"A core Unix/Linux flaw is serious, especially when authentication is not required," Paidhrin says. "If the threat remains high, we engage a rapid response team to monitor and remediate the threat exposure."
Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, or NH-ISAC, one of the 18 ISACs supporting U.S. critical infrastructure protection, says her organization is addressing Shellshock both with public and private health stakeholders. "NH-ISAC is holding an in-depth intelligence and response meeting regarding this incident with members," she says. The meeting took place early on Sept. 25, soon after the Bash flaw was revealed.
Also on Sept. 25, the Health Information Trust Alliance issued an alert on Shellshock "to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations."
HITRUST, based on its assessment, ranks Shellshock as a more serious vulnerability than Heartbleed due to the ability of potential cyber-attackers to use the exploit to craft malicious code that enables them to gain complete control of a compromised server.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
"While patches have been released for several major Linux-based server operating systems, media reports claim the patch does not fully close the Shellshock vulnerability," HITRUST says. The organization recommends healthcare entities review their information security controls.
US-CERT, in its alert, says the critical vulnerability was reported in the GNU Bourne Again Shell, the common command-line shell used in most Linux/UNIX operating systems and Apple's Mac OS X. "This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems," US-CERT says. "It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways."
Computer emergency response teams are recommending organizations patch affected systems as quickly as possible. "US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit."
UK-CERT has published a Unix command that can be run to test if a system is vulnerable. It says that "Web servers should be considered high priorities for patching."
Shellshock vs. Heartbleed: 'Striking Similarities'
Shellshock has striking similarities to Heartbleed, in that there are numerous potentially significant exposures to poorly maintained and/or unmanaged or unmonitored systems, says Mike Weber, vice president of Coalfire Labs, a forensic investigations firm.
"Going forward, protecting against these exploits translates into having the appropriate controls, policies and procedures in place on both commercial systems, and now, with the Internet of Things, likewise down to the consumer level," he says.
The vulnerability can be patched simply on modern server and client operating systems such as RedHat, Debian, Ubuntu, OSX or CentOS, Weber explains. "However, patches for other types of systems, such as those running embedded Linux, may be much harder to get and ultimately distribute. Coalfire expects the most damaging exploitation of this vulnerability on those hard-to-patch systems that are exposed to the Internet."
The Shellshock bug is going to be big news for a while, Weber says, who says they'll most certainly be at least one high-profile hack against enterprise systems, most likely via a web server attack. "That high-profile web server attack will be the result of negligence, slow reaction, poor IT management processes, or a combination of all three," he says.
Anton Chuvakin, a vice president of the security and risk management research team at Gartner, disagrees however with Shellshock's comparisons to Heartbleed. "The impact - easy remote access by an attacker - is worse, but not every site is exploitable, unlike Heartbleed," he says. "In fact, early evidence seems to point at exploitable sites numbering in the thousands, not millions."
Chuvakin says organizations should focus remediation on the Internet-visible servers first. "Scan your servers for the vulnerability to know how exposed you are, if at all, and do not limit the scanning to the Internet-visible sites, since having this issue on the internal servers makes the attacker's job easier," Chuvakin says.
And while it might sound generic, organizations should not make their security architecture solely reliant on patching. "Big vulnerabilities will happen, and so will zero-day vulnerabilities," Chuvakin says. Organizations' strategies should involve defense-in-depth, layers and controls not reliant on updates and monitoring.