Why Shellshock is Absolutely Terrifying for BYOD Security


By Israel Lifshitz - Sep-30-2014

If you thought Heartbleed was the queen bee of all security bugs, then you’re in for quite the “Shell Shock”. Late last week, it was discovered that the security vulnerability Shellshock can be made wormable and grant hackers the ability to run arbitrary codes on Bash, the most widely-used command processor which serves as the default shell for Unix, Linux and Mac OS X, and is also ported to run and automate tasks on Microsoft Windows and Android operating systems.

CGI scripts, which have been attacked the most so far by this bug, and are being exploited to send malicious commands to servers. If you’re actually still running these scripts within your organization, then this bug essentially could give attackers access to your entire operating system.

If you consider the fact that network services are most prone to these threats then it’s especially critical to grasp the vast reach and impact Shellshock poses to enterprise mobility and BYOD programs.Therefore the ensuing panic in the cyber and enterprise communities is no shock at all.

Why? Because in typical BYOD program, users access various corporate network resources via multiple applications, each of which transfer data from employee owned devices to the desired network service. Multiple apps equal multiple network services, which leaves more pathways vulnerable to attackers.

You may have thought that you need not protect your internal network resources and only need to patch internet resources. But in BYOD programs each user’s device has access to those endless corporate services. In this particularly weak link in security, hackers can easily exploit your organization’s network services by planting Trojans and worms. You need to carefully secure and patch each network resource. If some of your systems are Legacy systems then you’re even more vulnerable as such systems are even harder to apply patches.

The writing is on the security wall, and it’s important to heed the wake up call: Giving hackers a foothold on your apps and network services which are connected to your employees’ personal devices means that Shellshock quite realistically is the largest security vulnerability ever faced by BYOD. And like Heartbleed, it isn’t the first nor will it be the last major security bug to threaten your corporate network resources.

You can say that your BYOD devices are protected by MDM and it also protects your network with VPN connections. But in truth this isn’t nearly sufficient enough.

It’s precisely the BYOD devices which are the weakest link in your corporate security, and can be easily hacked and allow such attackers access to your corporate VPN connection and to a large number of unprotected internal network services.

For security infrastructures that store their apps directly on devices, Shellshock could be the security nightmare they’ve always dreaded and potentially take years to eradicate. Fortunately, the solution to this problem – Virtual Mobile Infrastructure (VMI) – already exists. VMI is the silver bullet to precisely such a threat because there is no direct link from devices to network services. This relatively new framework virtualizes a mobile platform remotely as a display onto devices, leaving all apps and data on a remote server. This makes just one secured protocol necessary to transfer back to the data center, instead of the multiple pathways required by all other security infrastructures to service each and every app added to the device. One protocol means security teams can effectively focus on securing just one network service, making the Shellshock ordeal much more manageable, and much less terrifying. Nubo Software was the first to introduce VMI to the security industry worldwide, and its mobile platform can enable app-based firewalls from virtual devices, which permits only specific selected apps to access network services.

Looking ahead, it seems like a foregone conclusion that major security threats like Heartbleed and Shellshock are going to surface again and again, which makes it that much more imperative that organizations in our BYOD generation are proactive in setting up the infrastructure that can best solve these vulnerabilities now and into the future. VMI gives organizations the safe and remote platform to do just that.