Shellshocked Clouds?

September 2014 saw another bombshell, “Shellshock”, hit the security community in the form of a set of vulnerabilities in “Bash,” a component of most UNIX-based systems. It has the potential of causing great damage, and the community has been in a frenzy trying to fix every impacted system. Already millions of attempted attacks have been thrown at nearly every system on the Internet, and some attackers have tried to turn this into a self-replicating “worm”. To be considered secure, vendors’ networks must be protected by multi-layer firewalls and intrusion detection systems. These networks must also be monitored by a 24x7x365 Security Operations Center (SOC). The only security approach that endures is a “SECURITY IN DEPTH” strategy, similar to the one followed by LiveOps, with multiple overlapping and redundant layers of protection.

At LiveOps, we use a holistic approach to security. From the moment a project is envisioned and placed on the drawing board, through its development and testing steps until after its deployment, our application security team reviews each step. Security must be an integral part of how a vendor designs and builds their platform through every stage of the software development lifecycle – not an afterthought. Furthermore, the security system should be thoroughly tested to prove that the solution adheres to, or exceeds, industry-standard security requirements. Cloud-based systems require round-the-clock monitoring to ensure the security and integrity of customer data, to protect against security threats or data breaches, and to prevent unauthorized access to customer data.

The instant a system is placed into our secure data centers, it is monitored and audited, patched and analyzed. The data is safeguarded right up until the end when years later the hard drive on which the data sits meets its final resting place in an industrial shredder at a recycling center.

Whenever a vulnerability is exposed, as with Shellshock (or any of dozens of less visible vulnerabilities that are discovered every month), the LiveOps team reviews the impact, decides on a remediation plan, and implements it with the appropriate team.

In the case of Shellshock, our approach consisted of the following seven steps:

  1. Search for any cases of public vulnerability using automated scans from multiple vendors and manual testing. (None were found.)
  2. Update Web Application Firewall rules and notify the Security Operation Center team.
  3. Review IDS logs for attack attempts. (Various attempts were seen, but none were successful.)
  4. Full-scale roll out of the appropriate patches with various iterations.
  5. Test the proof-of-concept code to verify the success of the patching on every machine.
  6. Run internal vulnerability scans to verify that no boxes were missed.
  7. Run a “white box” review of all production source code for “bash” usage.

Some of these tasks were executed in parallel and required effort from the entire team, but we managed to resolve this issue quickly, without security exposure and without any impact to production processes.

What can you do as a user of cloud systems?

Besides the usual best practices for security (on which we are always happy to advise our customers), the only thing to do is to remain vigilant, and make sure you properly review your cloud provider.

Incidents like this will happen again in the future. Be sure to pick a partner that is ready for them.

Image courtesy of Stuart Miles at