Living in an Insecure World
The discovery of the Shellshock bug (CVE-2014-6271) in the commonly deployed Bash shell means that attackers can potentially execute code on an affected machine. This comes less than 6 months after the discovery of the Heartbleed vulnerability (CVE-2014-0160) that allowed attackers to read memory containing system usernames, password and private keys. These two major vulnerabilities potentially provide means by which attackers can gain access and control networked devices.
Fixing these vulnerabilities is simple in theory; just install the latest patch supplied by the manufacturer. However, in reality this is often far from easy. Manufacturers may not release a fix in a timely manner, may not release a patch due to a device being no longer supported, or potentially may have gone out of business. Even if a patch is available, it may not be clear which devices need patching or indeed, how to go about applying a patch to a device.
Patching is by nature always retroactive. Patches can only be applied after vulnerabilities are detected, and will not protect against the next major vulnerability. As researchers improve their techniques to investigate the security of the code that underpins our systems, we can only expect that more vulnerabilities will be discovered.
Nevertheless we should not despair, within hours of the Shellshock vulnerability being discovered IPS signatures were released to detect and block malicious traffic exploiting the bug. Incorporating these solutions in a defence-in-depth layered approach to network security can protect vulnerable devices from attack, hinder attackers from compromising networks and help administrators to swiftly identify and remediate successful attacks.
Anticipating that any system will contain as yet unidentified vulnerabilities, helps us to envisage how we might protect the system. We can design a network topology of layered protection to protect and monitor our most valuable systems. We can prepare for the next major security discover by practicing the identification of vulnerable systems and the application of patches until resolving such issues becomes second nature.
We are currently in transit from a world where software was trusted to operate correctly, to one where software is rigorously scrutinised for flaws. Each discovery of a security vulnerability is painful, requiring time and effort to resolve, yet also helping to make the world more secure.
We need to accept that we are living in an insecure world and reflect on what this means. We can be certain that the many computing devices that surround us contain as yet undiscovered vulnerabilities. By considering this, we can prepare and design the systems, procedures, and protection necessary so that when the next big bug bites, we can be confident that everything is situation normal.Tags: