What we learned from the Shellshock security problem
Times are gone where small companies like us can trust that they are not the primary targets of any new hacking attacks.
Some months ago triggered by security newsletters and alerts from IBM we checked if our systems were affected by the so-called Shellshock security issue. And indeed, although this hack was just out we found some evidence that someone tried to compromise our servers.
I think we dealt with this problem very seriously and did everything right 😉
We spent a lot of time on informing customers, take systems offline until appropriate fixes were released, apply fixes, check if attacks were potentially successful and so on. But on the other hand our IT costs would explode if we`d handle all security related issues with this same engagement.
There are three important things, we learned from this incident.
1. Know what happens on your systems
One major thing is to know what happens on your system. This means to become aware of security relevant incidents and to be able to check if anything unusual happens now or happened in the past. Security information and event management (SIEM) is the key word for that. There are some big players in the market who cover a lot of questions in this area.
But I fear that these systems do not fit to our environment and IT budget. But there are alternatives and upcoming tools with a more flexible and smaller footprint.
2. Have a dedicated plan
To know what to do when a security problem is identified is the second important step.
How serious is the problem? What systems are affected?
Who has to be informed? Who has to be involved? What steps have to be done?
And finally what can we do better next time?
To be prepared is key factor here.
3. Keep systems up to date
We always try to keep the operating system of our production environment up to the latest supported and available level. Which was a big help in this case, as the shellshock fixes required a specific operating system patch level.
Well this was not the case for our test environment. We found 2 servers that were not patched, which in this case meant installing SP3 for SLES 11 in order to make use of the available Shellshock patches. This was really time consuming and needs to be avoided in future.
Keeping systems up to date is an ongoing but absolute necessary task.
You think, all of this is nice to have? I don’t think so.
The next security issue is out for some weeks; its funny name is POODLE. Are you prepared?