Shellshock should come as a timely reminder to every person who is connected directly or indirectly to a device that is accessible from the public internet. And that footprint will most likely cover almost every living person in the world today, though most of us won’t have the faintest idea how it affects all of us.
But, the point of this post is not to educate you about the vulnerability. The point of this post is that even I can’t, at this time, say with any degree of certainty that I have a good handle on the attack surface of the problem on the servers that I run. I have been dealing with servers for close to 15-years now and used to run my own stack for a long time, but I no longer do that.
Keeping even a single public-facing server secure these days is not a simple job. It is not good enough to be even somewhat well-versed in security issues anymore. Security is a full-time job and if you are not a specialist, you are exposing your business and your users to risk that you don’t have any idea of.
Incidents like the story of Codespaces serve as a frightful introduction to how badly all of this can go wrong. Even so, I don’t see much improvement in the approach most companies take towards the issue of security, trying to cut corners by not involving specialists for the job.
Every couple of weeks, I am asked to help out a start-up or a big company who has some problem or the other in their infrastructure. A good number of these cases, it is a given that the security is either lax or non-existent. A recent case involved a start-up that had zero instrumentation in place other than the high-level overview that the AWS reporting interface provides.
The great thing about the cloud revolution is that it has made access to quality infrastructure and the cost of that access easy and ridiculously cheap. I can spin up a server, on a public IP with 16GB RAM, in a minute. Which also means that an idiot like me can get root on a fairly powerful machine without having enough knowledge or ability to properly secure it.
That ease, increasingly, is becoming a huge problem.
While it is true that everyone has to start learning somewhere before they get really good at anything, the fact is that this growing universe of servers that are not properly secured now represents a nice pool for the numerous number of bad actors who thrive on these things. As a result, I gave up managing servers on my own a while ago (the incredibly complex iptables rules on a well-secured sever quickly demonstrated how out of my depth I was on the topic) and don’t recommend self-managed services to clients either.
Even so, in most cases, clients wind up going the AWS route, trying to handle the serves on their own without having a good enough team in place to secure them or they try to cut corners in the worst possible manner and go for the cheapest deal out there. In either case, a couple of months down the line they are hit with performance or security issues that they can’t fathom. And in the worst case scenario, their servers are broken into and they have no idea that they have been compromised.
By the time the realization happens that something is wrong, reputations (in the case of data theft) are destroyed or the ability to grow the business is curtailed due to infrastructure issues. In trying to save the market salary of one good IT professional, organizations wind up giving up many times that number in terms of lost revenue.
If you are a decision maker in any organization, I urge you to get in place some professional help sooner than later. This is a problem that will only grow as more and more devices become accessible from the internet. Don’t wait for that big break in before scampering around to fix the problem.