Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Poll: Patching Is Primary Response to Shellshock
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 9:10:17 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
"I've found that when you connect the dots to the business or eventually the bottom line people start to listen."

Great advice, @ODA155. Definitely worth repeating.
ODA155
ODA155,
User Rank: Ninja
10/28/2014 | 1:24:07 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@RyanSepe, I'd suggest gathering as much reputable information, evidence and documentation when trying to make your case. Show them proof than cannot be denied nor argued away. Also, I stopped trying to convince anybody of anything because nowdays everyone is a "lawyer" and wants to spend hours on end debating and trying to poke holes in what you're saying, which is fine if they actually knew what they were talking about, but I just lay out the facts as they are, PRO and\or CON. I've found that when you connect the dots to the business or eventually the bottom line people start to listen.

I'm sorry if I come off as a "cynic", but I've stopped taking it "personal" a long time ago, you can only do the best that you can... but you don't stop. However, I do keep all documentation from everything I've tried to do, win or loose, that might support any new engagements down the road, just because you lose the battle doesn't mean the threat goes away. As for "victories"... take them where you can get them.
RyanSepe
RyanSepe,
User Rank: Ninja
10/28/2014 | 1:06:02 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@ODA155

Yes, you understood correctly. And that was the only resolution we could come up with as well. It seemed blocking the exploited vector was the only true way of handling this. Just didn't know if anyone handled it differently. Congrats on your InfoSec victory! We could all use a few more of those.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 3:35:19 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
Well keep up the good work! (and hope you enjoyed that extra long lunch. We need to hear about more successes in infosec!
ODA155
ODA155,
User Rank: Ninja
10/27/2014 | 3:32:37 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@Marilyn Cohodas... I'd never let them see that! Just a 30 minute longer luch break (outside of the building) while I contemplated the next fight that I would pick with management :-) ... and that was a fight we'd had many times before.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 3:27:08 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
I hope you took a victory lap for that success, @ODA155!
ODA155
ODA155,
User Rank: Ninja
10/27/2014 | 3:16:59 PM
Re: Shellshock Vigiliance and BYOD Policy>Android?
@RyanSepe... If I understand you correctly, you're (your company) is trying to decide how to deal with mobile devices that may not be owned by the company? Well I would submit that any mobile device that has been configured or allowed to handle in ANY way your corporate data, should comply with an MDM policy... also, now would be a very good time to review that policy and recommend changes or start the conversation to implement a policy if you don't have one. Depending on your MDM provider\vendor then you can begin to limit what you can to reduce the threat surface from these devices.

Although it was not related to ShellShock, but to the fact that our mobile users were infecting the network with more Malware than the average PC user, so we blocked them all until we could figure out how to approach the problem. We just allowed mobile phones back into the fold and we've decided to treat each request differently whereas a business need must be proven to allow any access more than the usual email. The reason for this was that we just finished deploying AV to all mobile devices owned by the company while employees approved to use their own devices had to reacknowledge the terms and conditions for using company resources AND had to agree to purchase AV for those devices prior to connecting to corporate resources. Sure there was plenty of complaints, but my job is security, not politics... fortunatly I won this battle.

Good luck!
RyanSepe
RyanSepe,
User Rank: Ninja
10/27/2014 | 11:45:10 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
From my company's perspective we are all caught up in critical patching for our systems. However, we do have a BYOD policy and this is the reason for my previous inquiry. Devices that an enterprise does not have jurisdiction over cannot be forced to apply manufacturer updates. The only recourse is to employ MDM safeguards to not allow access to the network for those devices. Just didn't know if anyone else has developed and different recourse and the justification as to why that recourse was chosen.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 11:28:57 AM
Re: Shellshock Vigiliance and BYOD Policy>Android?
That's a good question, Ryan. i hope we get some commentary from other readers.

From your perspective, though, are you all caught up with the critical patching in your company? Or is it stilll an ongoing concern & project?
RyanSepe
RyanSepe,
User Rank: Ninja
10/27/2014 | 8:24:59 AM
Shellshock Vigiliance and BYOD Policy
Great article! Its important to note that any enterprise not taking the proper precautions to scan against this vulnerability is putting their companies data at monumental risk. 

One question I wanted to pose was for Linux kernel variants such as Android, how have enterprises been handling ShellShock from a mobile standpoint? Specifically, if they have a BYOD policy or hybrid. Many of the less tech savvy may not be aware of the vulnerability and if so, they are not going to take the steps to check with the manufacturer for remediation steps. Any ideas?
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...