alphaspirit - Fotolia
With the Shellshock vulnerability gaining attention in recent months, I'm worried it will affect my company's payment systems. Will upcoming PCI DSS audits include a look into Shellshock or require mitigation of the threat? And if so, what can my organization do to prepare for that?
The Shellshock vulnerability provides attackers with a back door into vulnerable Unix and Macintosh systems that allows the execution of arbitrary commands on those systems. This is a very serious vulnerability and system administrators should take immediate action to correct it throughout their enterprise environments. Patches are available for all major Unix operating systems and should be applied immediately.
There is no doubt that PCI DSS auditors will look for the Shellshock vulnerability within your cardholder data environment, and I think it is unlikely that an auditor would issue a passing Report on Compliance to any merchant with unpatched, exposed Shellshock issues.
Fortunately, organizations with solid PCI DSS compliance programs should already have several measures in place that would identify and correct this problem. First, the regular vulnerability scans required by PCI DSS should detect the presence of Shellshock on cardholder systems and provide instructions for remediation. Second, PCI DSS 6.2 requires merchants to apply critical security patches within one month of release. Shellshock patches became available in late September 2014, so those patches are already available. Organizations compliant with PCI DSS 6.2 should already have protections in place that correct the Shellshock vulnerability.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out how to meet PCI DSS requirement 6.6 and keep down costs
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading