Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/24/2014
04:17 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Poll: Patching Is Primary Response to Shellshock

As potential threats mount, Dark Reading community members home in on patching infrastructure but not devices, according to our latest poll.

In the month since the disclosure of "Shellshock," the critical remote command execution Bash bug affecting practically everything from servers to sensors to storage, members of the Dark Reading community are putting their principal efforts into patching, according to our latest online poll.

Rated as a 10 out of 10 for its impact and ease of exploitability by the Common Vulnerability Scoring System, in the intervening weeks Shellshock has already been weaponized through Mayhem, an existing botnet malware and found targeting QNAP network-attached storage devices in in-the-wild exploits.

In the meantime, related bugs continue to be discovered, a harbinger that Internet pioneer Paul Vixie predicts marks the beginning of a future of 'Hair On Fire' bugs so vast that "it will take 10 years to patch most computers affected by the bug" and the rest -- including embedded devices and sensors -- "will be vulnerable for the lifespans of all humans now living."

Sounds daunting, for sure. It's no wonder that Dark Reading respondents were so busy patching and checking there was little time to even take our online Shellshocked & Bashed poll, which had one of the smallest response rates -- a mere 214 -- since we starting taking the pulse of the community on current events and topical issues last spring.

Our question this time was fairly direct. We wanted to know what steps members are taking or planning to take in response to Shellshock and Bash; they could respond to as many answers as applied.

Responses To Shellshock/Bash Bugs

The magnitude of the problem was reflected in the number-one response: patching. Nearly three out of four respondents report that they were "patching what we can and trying to stay up to date on new vulnerabilities." But bug fatigue also was evident. Only slightly more than half of poll takers say they are checking vendors' patch information against the CVEs.

The device issue proved to be more of a conundrum. Just 20% of respondents are bothering to take an inventory of smart devices in their company, a step recommended by several experts. Slightly fewer -– another 19% –- are planning to replace non-upgradeable or un-auditable devices with devices they can control.

Even more of a shock to me was the 16% of respondents who say they are doing nothing. But I take with a grain of salt those of you who say you don't know what Shellshock or Bash is. So let me ask the question another way, an essay question if you will. Is the industry overreacting to Shellshock? And if you're not looking beyond infrastructure patching, why aren't you? Let's chat about it in the comments section below.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 9:10:17 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
"I've found that when you connect the dots to the business or eventually the bottom line people start to listen."

Great advice, @ODA155. Definitely worth repeating.
ODA155
100%
0%
ODA155,
User Rank: Ninja
10/28/2014 | 1:24:07 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@RyanSepe, I'd suggest gathering as much reputable information, evidence and documentation when trying to make your case. Show them proof than cannot be denied nor argued away. Also, I stopped trying to convince anybody of anything because nowdays everyone is a "lawyer" and wants to spend hours on end debating and trying to poke holes in what you're saying, which is fine if they actually knew what they were talking about, but I just lay out the facts as they are, PRO and\or CON. I've found that when you connect the dots to the business or eventually the bottom line people start to listen.

I'm sorry if I come off as a "cynic", but I've stopped taking it "personal" a long time ago, you can only do the best that you can... but you don't stop. However, I do keep all documentation from everything I've tried to do, win or loose, that might support any new engagements down the road, just because you lose the battle doesn't mean the threat goes away. As for "victories"... take them where you can get them.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/28/2014 | 1:06:02 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@ODA155

Yes, you understood correctly. And that was the only resolution we could come up with as well. It seemed blocking the exploited vector was the only true way of handling this. Just didn't know if anyone handled it differently. Congrats on your InfoSec victory! We could all use a few more of those.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 3:35:19 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
Well keep up the good work! (and hope you enjoyed that extra long lunch. We need to hear about more successes in infosec!
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/27/2014 | 3:32:37 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@Marilyn Cohodas... I'd never let them see that! Just a 30 minute longer luch break (outside of the building) while I contemplated the next fight that I would pick with management :-) ... and that was a fight we'd had many times before.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 3:27:08 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
I hope you took a victory lap for that success, @ODA155!
ODA155
100%
0%
ODA155,
User Rank: Ninja
10/27/2014 | 3:16:59 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@RyanSepe... If I understand you correctly, you're (your company) is trying to decide how to deal with mobile devices that may not be owned by the company? Well I would submit that any mobile device that has been configured or allowed to handle in ANY way your corporate data, should comply with an MDM policy... also, now would be a very good time to review that policy and recommend changes or start the conversation to implement a policy if you don't have one. Depending on your MDM provider\vendor then you can begin to limit what you can to reduce the threat surface from these devices.

Although it was not related to ShellShock, but to the fact that our mobile users were infecting the network with more Malware than the average PC user, so we blocked them all until we could figure out how to approach the problem. We just allowed mobile phones back into the fold and we've decided to treat each request differently whereas a business need must be proven to allow any access more than the usual email. The reason for this was that we just finished deploying AV to all mobile devices owned by the company while employees approved to use their own devices had to reacknowledge the terms and conditions for using company resources AND had to agree to purchase AV for those devices prior to connecting to corporate resources. Sure there was plenty of complaints, but my job is security, not politics... fortunatly I won this battle.

Good luck!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/27/2014 | 11:45:10 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
From my company's perspective we are all caught up in critical patching for our systems. However, we do have a BYOD policy and this is the reason for my previous inquiry. Devices that an enterprise does not have jurisdiction over cannot be forced to apply manufacturer updates. The only recourse is to employ MDM safeguards to not allow access to the network for those devices. Just didn't know if anyone else has developed and different recourse and the justification as to why that recourse was chosen.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 11:28:57 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
That's a good question, Ryan. i hope we get some commentary from other readers.

From your perspective, though, are you all caught up with the critical patching in your company? Or is it stilll an ongoing concern & project?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/27/2014 | 8:24:59 AM
Shellshock Vigiliance and BYOD Policy
Great article! Its important to note that any enterprise not taking the proper precautions to scan against this vulnerability is putting their companies data at monumental risk. 

One question I wanted to pose was for Linux kernel variants such as Android, how have enterprises been handling ShellShock from a mobile standpoint? Specifically, if they have a BYOD policy or hybrid. Many of the less tech savvy may not be aware of the vulnerability and if so, they are not going to take the steps to check with the manufacturer for remediation steps. Any ideas?
Page 1 / 2   >   >>
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
CVE-2019-12992
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 6 of 6).