We've all seen the news about the next big threat to information systems, Shellshock, which takes advantage of a vulnerability in the now ubiquitous open source Bash shell (Bourne-Again Shell).
The immediate reaction to the announcement was ominous with claims that the new Bash bug, Shellshock, is much worse than Heartbleed. We're not sure that we're entirely in that camp for a number of reasons, but it is very safe to say that Shellshock is a threat to be taken quite seriously, as the number of port scans looking for services affected by this vulnerability have already significantly increased. Those organizations that are doing security correctly (defense in-depth, network segmentation, firewalls with DMZs, etc.) have far less to worry about than others who are still thinking that they won't eventually get hit.
The good news is that a patch for the source code already exists and can be applied. The bad news is that a patch for the raw source code requires the end user to apply the patch to the source code, recompile, and then re-deploy the binary -- something beyond the scope of most end users, and something that means most will be waiting for a pre-compiled binary distribution from the operating system vendor. Most of the major operating system providers have, or will have, a patch available for widespread deployment very soon.
[Do you know enough about Shellshock? See Shellshock Bug: 6 Key Facts.]
Further bad news is that embedded systems, such as medical devices, cameras, network appliances, and so on, will require waiting for the manufacturer to make a fix available (which can take far longer than your typical operating system), and it will be necessary to re-image the flash/boot code for the device. Any such assets that are accessible from the Internet will be vulnerable until the vendor publishes a fix.
It is also safe to say that Heartbleed and Shellshock are not the last of these types of threats that will present themselves, but, rather, the beginning of a new era of threats that affect multiple systems throughout an enterprise and create a real challenge for organizations. Even months after the Heartbleed bug surfaced, thousands of systems are still vulnerable to it -- just consider the unfortunate breach of Community Health Systems.
One remedy for Shellshock that is being discussed is the use of an application layer firewall or proxy service, which is definitely one mitigating control, but only if the application layer firewall or proxy is configured properly and supports the vulnerable port(s)/service(s) (i.e. not all services have widely available proxy services or application layer gateways). This does not mitigate the risk of "insiders" exploiting the vulnerability, so the assets in question would still need to be patched or completely isolated from internal traffic. By and large, the threat to the bulk of most organizations' assets will be manageable through good security practices, proper configuration, and patch management.
What is most at risk? Any asset that runs embedded operating systems, such as appliances and network gear. This poses a significant threat to the healthcare industry due to the extensive amount of medical devices that could be affected by the new bug. Once again, the healthcare industry is at risk from these devices that are critical to providing care. More importantly, they are not in a position -- without significant replacement or security costs -- to address the issue. Simply put, we need standards around developing and accrediting medical devices that are going to go on hospital networks or connect directly to patients and communicate to the network. It is irresponsible to allow these critical care assets to be developed and implemented in a manner that they become a risk to the hospital or the patient.
The security threat that Shellshock poses to medical devices clearly demonstrates why more guidance is needed. Fortunately, later this month the FDA is holding a workshop in Alexandria, Va., on this topic to gather input from providers, device manufacturers, and other interested parties. They are also supposedly finalizing final guidance for medical device considerations for manufacturing and implementation. Hopefully, that guidance will have the force and accountability of a new rule, or we fear that the FDA won't accomplish its intended purpose. We are sure that some device makers will adopt its tenets and do the right thing, but if history repeats itself with voluntary compliance, there will be far more that don't do the right thing.
Ultimately, it will leave the end users (providers and patients) right where they are today ... at risk.
Dr. Michael G. Mathews, President, COO, and co-founder of CynergisTek, also contributed to this column.
You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).