A recent CSO Online article reported on the way that cybercriminals have begun to target message transfer agents (MTAs) with the Shellshock vulnerability to enable botnets to attack systems. Of course, the process can be used on both enterprise systems and small to midsize business (SMB) networks, but a second article today focused on how this attack may prove more detrimental to SMBs.
CSO Online author, Steve Ragan, makes the point that smaller companies “don’t have the ability to manage risk the same way a large enterprise does.” And he does have a point. SMBs often lack the budget and the capacity to house complete IT organizations, so though they try to cover basic security issues, the more obscure or complex vulnerabilities may be left open.
The Shellshock bug relates to the way Bash allows commands to be executed. IT Business Edge’s Sue Marquette Poremba covered the issue in a recent blog post, saying that it affects “Linux, Unix and Mac OSX systems.”
The vulnerability was reported in September, and many vendors have rushed to create and release patches to help correct the issue.
However, as Ragan explained, many SMBs depend on server hosting, and finding a developer to help update the script can be difficult and costly. If the system uses a script that is vital to company business, but a change would be expensive and take time, it may be left open. For those SMBs that are more cautious, additional support contracts may cover server updates, but many SMBs self-manage their servers to save money. And missing what they deem to be an insignificant patch might seem to the company owner to be no big deal—especially a patch that doesn’t fix something that isn’t working. Ragan says:
“The reality is that most SMBs don't want to pay for extended management and support, they just want the technology to work, as expected, no questions asked.”
What’s important for SMBs is to stay abreast of current vulnerabilities and attacks. If that isn’t possible, be sure your IT staff or hosting company is up on the most recent security issues. Consider that paying for additional support may actually cost less than rebuilding systems after an attack. Many data centers and hosting providers offer levels of support for security assistance.
In the instance of Shellshock/Bash, check with your provider to find out what may need to be done to update or patch your systems. Over time, knowing that your systems are patched and safe will allow you to focus on running and growing your business, not just keeping your systems safe.