If you thought Heartbleed was the queen bee of security bugs, then you’re in for quite the shell shock.
Last month, it was discovered that the security vulnerability Shellshock can be made wormable and grant hackers the ability to run arbitrary codes on Bash, the most widely-used command processor which serves as the default shell for Unix, Linux and Mac OS X.
It is also ported to run and automate tasks on Microsoft Windows and Android operating systems.
CGI scripts have been attacked the most so far by this bug, and are being exploited to send malicious commands to servers.
If organisations that are still running these scripts could be giving attackers access to their entire operating system.
When considering the fact that network services are most prone to these threats, it’s especially critical to grasp the vast reach and impact Shellshock poses to enterprise mobility and BYOD programmes.
Therefore, the ensuing panic in the cyber and enterprise communities is no shock at all.
Why? Because in typical BYOD programmes, users access various corporate network resources via multiple applications, each of which transfer data from employee-owned devices to the desired network service.
Multiple apps equal multiple network services, which leaves more pathways vulnerable to attackers.
Some organisations believe they need not protect their internal network resources and only need to patch internet resources.
But in BYOD programmes, each user’s device has access to those endless corporate services.
In this particularly weak link in security, hackers can easily exploit network services by planting Trojans and worms.
Businesses must carefully secure and patch each network resource. If some systems are legacy, they are even more vulnerable as such systems are even harder to apply patches.
The writing is on the security wall, and it’s important to heed the wake up call: giving hackers a foothold on apps and network services connected to employees’ personal devices means that Shellshock is the largest security vulnerability ever faced by BYOD. And like Heartbleed, it isn’t the first nor will it be the last major security bug to threaten corporate network resources.
Organisations may think their BYOD devices and network are protected by MDM and VPN connections. But in truth, this is not nearly sufficient at all.
It’s precisely the BYOD devices that are the weakest link in corporate security – they can be easily hacked and allow such attackers access to corporate VPN connections and to a large number of unprotected internal network services.
For security infrastructures that store their apps directly on devices, Shellshock could be the security nightmare they’ve always dreaded and potentially take years to eradicate.
Virtual mobile infrastructure (VMI) is one solution to this problem as there is no direct link from devices to network services.
This relatively new framework virtualises a mobile platform remotely as a display onto devices, leaving all apps and data on a remote server – making just one secured protocol necessary to transfer back to the data centre.
Looking ahead, major security threats like Heartbleed and Shellshock will continue to surface, so it’s imperative that organisations that insist on BYOD programmes set up the infrastructure that can best solve these vulnerabilities.
Sourced from Israel Lifshitz, CEO of Nubo