Shell Shock Demands the Question: Why Aren't You Monitoring Config?

Posted by Jon Hendren

configs_secure

News about the major bash vulnerability dubbed Shell Shock is reaching far and wide at the moment, and for good reason — its effects have the potential to reach even further than its distant cousin Heartbleed had previously. IT departments have been scrambling not only to patch machines, but to even find affected machines on their own networks. As config monitoring becomes commonplace, however, today's headache will probably be remembered as something that could've been just a simple nuisance.

While both OpenSSL (responsible for Heartbleed) and the bash shell (where Shell Shock gets its name) are found in datacenters and businesses in every corner in the world, that's where the similarities end. The mechanisms exploiting the two vulnerabilities are entirely different, despite the tech media continuing to compare the two.

Even now, a week after word of the bug hit the news, IT staff are still updating a variety of boxes running varieties of OSes. Maybe it's a wise time to ask: Why aren't more people monitoring their configurations?

And I'm not talking APM here. Sure, it's great to know when CPU usage spikes somewhere or the network is saturated, but those tools wouldn't do anything in a situation like Shell Shock. A well-rounded, well-prepared IT operation requires robust config monitoring.

Think about it — did you know where (and which version) every install of bash was in your environment before Shell Shock? An average IT person will say they were on all the *nix machines and Macs, which is a start. A better IT person will know it's running on loads of networking hardware. And an even better one will think about the even wider and sometimes overlooked ecosystem of embedded devices running bash that could be affected —and our Cloud stuff, don't forget our Cloud stuff!

All that, and we haven't even approached the next step: How do you go about double-checking everything to see if bash even exists on it? And if it does, what version? Do you plan to squeeze out some shell scripts under duress and Red Bull and pray that it works?

With a proper config monitoring solution like UpGuard in place, scanning everything under the sun for its version of bash (or any other attribute the node has) is as simple as using a search bar. Rather than going on a company-wide wild goose chase, everything is just there. And there's no laying awake at night wondering if that $40 wireless router someone plugged in upstairs has bash on it. (Hint: it might.)

As IT professionals we're buried in computing every day, so it's sometimes hard to see change, but the electronic ecosystems in modern business are becoming more and more complex. Give UpGuard Free a try, and you just might be surprised to find out what's right under your nose.

UpGuard Customers