The potential exposure of the Shellshock bug is undoubtedly significant. Linux underpins the majority of web servers, network routers and Apple Macs running OS X.
Despite its prominence, there have been relatively few stories around its exploitation, which could lead to complacency. Businesses need to ensure that they do not become victims of breaches later down the line and protect themselves as a matter of priority.
Recent research has shown that criminals are exploiting Shellshock for malicious purposes, so it is imperative that businesses take action.
IT departments need to quantify their exposure to the Shellshock bug and identify the systems that are at risk. There are some simple commands, which are widely publicised on the internet, that can be used to see if the system being tested is vulnerable.
A number of patches have been issued to reduce the impact of this vulnerability. These patches should be applied, but not all patches protect against all of the exploits that are being developed.
It is important, therefore, that intelligence is gathered about the status of each patch and what exploits it protects against.
As new patches are developed, they also should be applied to affected systems. IT departments should continue to test their systems against new exploits as they are developed and reported on the internet.
Those systems that are still vulnerable should be the subject of further consideration in terms of what can be done to mitigate or reduce the risk they represent.
For example, businesses could take systems offline, invest resources into moving functions and data to servers that are not showing the vulnerability, or simply monitor them more closely as their IT teams thoroughly research developments and await patches that will eventually provide a solution to this problem.
Finally, it is worth noting that the scale of Shellshock is such that security professionals have the opportunity to go above and beyond the direct tactical fix to assess risk and find weakness across their entire IT infrastructure. It may well be worth moving forward planned reviews of overall security stature or intended investments for improvement.
John Colley is managing director Emea for (ISC)2.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK
This was first published in November 2014