Shutterstock 245974603

The Shellshock Threat: Don’t Get Caught In The Aftermath

Imagine a bank vault. Impenetrable and secure, tucked behind layers of security. Now imagine all you needed to break in was a toothpick.

Shellshock, a major security vulnerability that was released September 24, 2014, presents this kind of threat. The vulnerability exists in Unix and Linux. One of the most popular Unix and Linux utilities, the Bash shell, is the key to the exploit. Essentially, Shellshock allows a remote, unauthenticated attacker to run malicious code on any affected device.

The exploit is widespread. Everything from switches and mail servers to smart appliances are potentially affected. The number of at-risk systems is in the hundreds of millions.

One of the major concerns with Shellshock is how easily the exploit can be executed. It’s entirely automatable, and it requires a small amount of technical knowledge. It also requires no user authentication, and it can be leveraged on a large number of different attack vectors creating serious threats to all kinds of security programs.

A good security system depends on layers.  Think of a bank vault. You have the front door to the bank, the security guards, the alarm system, and the vault door itself. All of these different layers of security add to a network’s protection. Shellshock can be used to break through many of those layers with the same tool.

And once an attacker has compromised a system with Shellshock, he or she has control. An attacker can steal financial information, personal healthcare files, or any other sensitive information. If the attacker chose to, he or she could corrupt entire databases and shut down systems.  In short, Shellshock can throw an entire network into chaos.

Even detecting a Shellshock attack is tricky. Without staying up-to-date on every patch from every vendor, a network is still at risk. Skilled attackers can cover tracks and clean up after themselves. And some vendor patches still don’t completely fix the issue.

Preventing a Shellshock attack is challenging, but possible.  There are so many different venues and methods to exploit that full prevention is simply not possible for many networks.  However, there are some preventative methods network administrators can take to start protecting a network from Shellshock.

Updating systems with the latest vendor patches is one obvious way to start locking down a network that is affected by Shellshock. Because Shellshock is so prevalent, immediately applying patches is one of the best ways to keep a network as secure as possible.

Another method is implementing the security principle of least privilege, which means allowing the least amount of access needed for a system or user to do its job. For example, an organization may consider blocking protocols like SSH and Telnet on the network except for those who absolutely need access. This security best practice can help reduce the attack surface for Shellshock and other exploits.

Many Intrusion Prevention Systems (IPS) can be configured to report when a Shellshock attack is underway, and closely monitoring log activities can alert you to any suspicious network activity as well. Remember that most IPSs are configured for external threats only. Internal attacks are still possible, so don’t forget to monitor those systems as well. Even an IPS in monitor mode on your internal network is valuable – having an early warning from an intrusion report can give you the time you need to stop the attacker before he or she compromises the system.

For website security, a Web Application Firewall (WAF) can help prevent a Shellshock attack. By having a well-configured WAF, you can deny a would-be hacker the ability to execute code in any attack vector your website may provide.

Network scanning and penetration tests can also provide insight into the different exploits your network is susceptible to.  If you can lock out an attacker before he or she takes control, you win. The best protection against Shellshock is to implement a robust, layered defense-in-depth strategy so you don’t get caught with shellshock in the aftermath.

Brian DiPaolo | Assessment & Compliance Practice Director
Anton Abaya | Consultant

Leave a Reply

Your email address will not be published. Required fields are marked *