Compliance|Information Security|Research

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links.

This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren’t just posting information to try and gather web hits.

According to Errata Security

What is ShellShock?

Shellshock is a vulnerability in a shell within Linux called Bash.  This shell is available on much of the web; at least 35% of all web servers are running Apache which doesn’t necessarily mean those servers have Bash installed, but many if not most of them will.

For a comprehensive and technical overview of the bug, visit TroyHunt’s post about it.  We are not going to dig into the details; we want to make sure you have the information you need to make a decision for your organization.

Why should my organization be concerned?

This vulnerability can allow an attacker from the outside without access to anything, but a public facing webpage to gain access to a shell.  In the best case scenario, we don’t anyone gaining a shell on an internal system because they would have the potential to perform any command they want.  Now, there are commands that require elevated priveleges to execute, but I have found more than my fair share of web servers running sites as root or similar.  The attacks also don’t have to come from the web.  Early proofs of concept have shown vulnerabilities from SSH and DHCP as well as other protocols as well.  This vulnerability is a perfect candidate for a wide spread worm.

According to Robert Graham at Errata Security, the issue is much more widespread than we think, and the vulnerability is already being exploited and attacked in the wild.

To summarize, this vulnearbility could potentially provide someone full control of a server with minimal effort(look how easily the vulnearbility was exploited here by just browsing to a web page or here by setting up a DHCP server).   Think about it, if a DHCP server can exploit, and Macs are vulnerable, what is the risk of using a Mac on public wifi now? That is why the CVSS score is as bad as it gets:

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH)
Impact Subscore: 10.0
Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Source: NIST

How do I know if I am vulnerable?

On a linux machine (this can be devices with embedded linux as well such as phones, routers, switches, etc) run the following command:

env x='() { :;}; echo this machine is vulnerable' bash -c "echo testing"

If the output of this command contains ‘this machine is vulnerable’, then it is.

Macs are vulnerable as well, but there is a little more effort to test.  Additionally, users are dependent upon Apple to push out the updates.

What do we do?

That one is tough because not all systems have updates.  For those that do have updates, it can be completed with minimal effort (though standard change control procedures should be used).  Many linux distributions have released updates, but as some researchers have noted not all fixes have worked.

Here is the processes we suggest taking within your network:

  1. Don’t panic, most of your primary systems are not vulnerable.
  2. Identify all systems that may be running bash which includes Macs (giving priority to any with public facing websites or even services such as Telnet, FTP, SSH, etc)
  3. First, if you have public facing Telnet or SSH turn it off. If you have public facing FTP, it should at least be running SFTP or FTPS.
  4. Contact vendor support or vendor resources and determine if patches are available (here is a good starting point for vendor information)
  5. Deploy patches, and retest
  6. For devices where patches are unavailable, consider the risk to the organization, if the risk outweighs the benefit consider options including shutting down the device
    1. Is the device public facing?
    2. Does it have direct access to important information?
    3. What would the impact to the business be if this device went down?
    4. Is this device necessary?

If you need assistance performing any of the services please contact us at or call us at 205-202-4233.

Compliance|Information Security|Research

Budgeting For Security

Security budgeting is a layered approach

Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts?

Cover the Basics first

Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider:

  1. Review your security policy
  2. Ensure security patches are up to date, for all hardware/software
  3. Make sure all of your devices are running AV software and are up to date
  4. Review your password policy for weak passwords
  5. Encrypt all portable devices
  6. Provide security training for end users, and IT staff
  7. Regularly review your Firewall/IDS rules
  8. Follow best practices for remote access/VPN solutions
  9. A monitoring/logging solution should be in place

Budget Considerations

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:

  1. Formalized development of security policies and procedures
  2. Security monitoring or outsourced assistance
  3. Vulnerability and penetration testing
  4. Third party inspection
  5. Multifactor Authentication
  6. Mobile Device Security/Management
  7. Internet controls/restrictions
  8. Secure Large File transfer methods
  9. NAC
  10. Wireless security
  11. Data Loss Prevention
  12. Incident response/tracking
  13. Backups/DR/Business Continuity

Studies have shown that a good overall security posture will reduce the overall cost of a security breach.