So what have we learned since September 24th, the day the Shellshock Bash bug was disclosed?
Shellshock is a piece of insecure code in the Bash command line interpreter written decades ago. Since its disclosure on September 24th 2014 hackers were able to hijack thousands of servers and use them for malicious purposes such as data breaches or converting them into botnets for future DDoS attacks. Yahoo is the most recent enterprise confirming being hit by a Shellshock exploit.
The Shellshock bug came about, because the Bash source code did not follow the basic practices of secure coding aka the SDL. The Bash code did not sanitize user input, did not use privilege separation and, most important, did not have secure design and security oriented testing. This is natural, as the software market is highly competitive. Customers demand feature-rich, high performing software, and a low budget and minimal time to market. These considerations take priority over secure design and development, which does not directly impact the developers’ business.
Organizations have to acknowledge that the software they are using will always be written insecurely and that the next Shellshock is just a matter of time. Trying to prepare their organization for the next Zero-Day threat security admins are forced to frantically chase after endless security patches by multiple software vendors. It is unmanageable and unrealistic to rely on this. Furthermore, it takes time to write the patch once the vulnerability is discovered. This is a free window of opportunity for hackers.
So what should security admins do? As written in my previous post, a new approach CAN cope with zero day vulnerabilities.
- True context-aware transaction whitelisting will allow understanding of business traffic flow for a website.
- Transition to virtual patching to eliminate the need for the endless chase after patches.
- Response-based validation will allow detecting that a website is really doing what it is supposed to do and that no one is masquerading a Zero-Day attack to seem like a valid transaction.
- Relying on public cloud providers and infrastructure agnostics will allow immediate switching between IAAS\PAAS providers in order to be resilient to vendor-specific attacks.
- Reusing the power of modern cloud providers will allow infinite traffic absorption to contain massive DDoS attacks
- Obfuscation and stealth techniques will cause attackers to choose less protected targets.