'Shellshock' bug may help criminals access computer systems, businesses warned as SME cyber shortcomings are brought into focus

Out-Law News | 26 Sep 2014 | 3:10 pm | 3 min. read

A security vulnerability has been identified in a popular computer software component which could be used by criminals to gain control of IT systems, organisations have been warned.

The vulnerability, dubbed the 'Shellshock' bug, is present in "Unix-based operating systems such as Linux and Mac OS X", the US Computer Emergency Readiness Team (US-CERT) said in a security advisory it has posted. In a separate advisory, CERT-UK said that the Shellshock bug is "likely to affect a much wider community" than that which was affected by the 'Heartbleed' bug discovered earlier this year.

The US-CERT has recommended that organisations look to their technology providers for a security update to address the problem amidst concern than an initial 'patch' that has been issued does not fully fix the hole in security that has been identified.

"Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system," the US-CERT said.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), said that the discovery of the Shellshock bug highlights the need for organisations to keep their software and systems up-to-date.

"This flaw could be allowing criminals to access personal data held on computers or other devices," an ICO spokesperson said. "For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure. The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action."

Internet users should also apply the security updates "as soon as practically possible", the spokesperson added. The ICO issued IT security guidance for businesses earlier this year.

At a cyber security roundtable event in London on Thursday hosted by IT service provider Networks First, former head of payment security at Barclaycard, Neira Jones, said there was a "blatant lack of supply chain due diligence" on the issue of cyber security.

There was broad agreement from the other panel members on the assertion that there is a "disconnect" from the SME community with the cyber security agenda and the need to improve security measures and practices.

A lack of skills and interest in technical issues relating to cyber security within the SME community is hampering efforts to improve those companies' cyber security standards, said Pierre Audoin Consultants director Duncan Brown.

Jones, a former advisory member of the Payment Card Industry Security Standards Council and now an independent advisor in payments, digital innovation and cyber security, said that SMEs are only likely to act to improve their approach to cyber security where there are "commercial imperatives" to do so. Mandating better standards through regulation alone will not have the desired effect, she said.

"In the commercial world it will always come down to how much it costs, 'when do I have to do it by' and 'what else will suffer if I do do it'," Jones said. "Compliance is absolutely necessary but it is how it is deployed," Jones said. "It is for organisations to understand their risk and what the consequences are [of failing to comply]."

Jones suggested that mechanisms for penalising businesses that fail to achieve appropriate cyber security standards could be effective.

Jay Abbott, managing director of cyber security consultancy justASC, said that there are some plans already in place to incentivise better cyber security protections from suppliers of all sizes within central government under the 'Cyber Essentials' scheme.

Abbott, who likened protecting IT systems from security breaches to preventing water from seeping out a colander, said the UK government is expected to confirm that businesses will only be able to win contracts from central government departments in future if they adhere to the Cyber Essentials guidance.

Dr Adrian Davis, managing director of the International Information Systems Security Certification Consortium (ISC²) in Europe, the Middle East and Africa, said the onus is on large cloud providers and other service providers to offer solutions that deliver better cyber security capability. He said those companies have the resources to develop cyber security solutions that can drive up existing standards evident across business.

Appointing a new government minister responsible for cyber security matters could help improve how the government engages with business on cyber security, said Adrian Culley, the former head of Scotland Yard's computer crime unit.

Jones said that a new initiative that could see business directors become personally liable for failing to prevent economic crime may also help drive cyber security higher up the board room agenda within small businesses.

Dr Geraint Price, lecturer in information security at Royal Holloway University, said that the focus of businesses should shift from trying to prevent security breaches to how they can and should respond to incidents, given the increasing frequency of cyber attacks and likelihood of those attacks being successful.

Jones said that businesses should be required to test their cyber incident response plans regularly, and at the very least once a year.