It’s been just over two weeks since the Bash vulnerability known as Shellshock came to light. IT service providers are not shocked.
“I’m not necessarily surprised. It seems like every quarter we’re getting hit with something fairly large. It seems like just a couple of months ago that Heartbleed came out, ” said Delano Collins, Director of Network Operations,EDTS.
“I fully expect there are other vulnerabilities that haven’t come to the surface yet.”
“Shellshock” refers to the security vulnerabilities found in Bash, a common command-line shell for Linux and Unix systems. If exploited, the flaw can allow attackers to execute arbitrary commands on a system, giving them full control.
Millions of systems and appliances – from web servers to smart TVs – have the vulnerability. (AccessEnforcer is not among them)
The IT providers we spoke with are not surprised by Shellshock, nor has it caused them many problems.
“Fortunately we’re more of a Windows shop so we didn’t have to race to fix a lot of things,” said David Ruchman, CTO, Powersolution.com. “Most of the patches we had to apply were done by our vendors.”
Collins echoed that sentiment. His team deals very little with Unix and Linux. They operate mostly in Windows.
“For the managed service providers that we see, I think that’s fairly typical,” he said.
SMB IT clients have not escaped completely unscathed, however. Many of them outsource web hosting to third parties, and their web servers are very likely to be exposed.
“Unfortunately the web hosting providers are often the slowest to respond to the threats, so I imagine there are a lot of web sites that are still vulnerable,” said Collins.
IT providers in the SMB space are not running scared, but the scope, scale, and severity of Shellshock should give them pause.
One lesson is clear: the components under the hood are a major factor in security. The choices a vendor makes when designing a product has a direct impact on the security of its customers.
We made a conscious decision not to use Bash in our network security device, AccessEnforcer. While it would have been convenient, it simply did not serve the needs of our customers. They are typically small and medium-size businesses who prefer our GUI instead of a command-line interface.
Would other vendors use as much care in the selection of their components? Too many, we feel, cram unnecessary features into their products. The result is a larger attack surface and potentially weaker security.
We encourage you to work with vendors who have shown they are more interested in the security of their product rather than the length of its feature list. The total cost of ownership is often lower in the long run.
For more info, get our free report: how to accelerate profits on network security.
Some vendors have dozens of products exposed to Shellshock, but many of them have been fast to respond to the news.
“All of our vendors were proactive,” said Ruchman. “We didn’t have to reach out to any and ask about a patch… Either they patched or they released patches that we then applied to those devices.”
That’s great for routers, servers, and other appliances that typically need updating – but what about thermostats? Or smart televisions? Many devices in the “internet of things” are vulnerable to Shellshock.
Will all of them be patched? Only time will tell. In the meantime, we recommend keeping an eye on the vendors who are exposed, watching how they respond, and remembering their behavior when it’s time to buy again.