With the Shellshock vulnerability gaining attention in recent months, I'm worried it will affect my company's payment...
systems. Will upcoming PCI DSS audits include a look into Shellshock or require mitigation of the threat? And if so, what can my organization do to prepare for that?
The Shellshock vulnerability provides attackers with a back door into vulnerable Unix and Macintosh systems that allows the execution of arbitrary commands on those systems. This is a very serious vulnerability and system administrators should take immediate action to correct it throughout their enterprise environments. Patches are available for all major Unix operating systems and should be applied immediately.
There is no doubt that PCI DSS auditors will look for the Shellshock vulnerability within your cardholder data environment, and I think it is unlikely that an auditor would issue a passing Report on Compliance to any merchant with unpatched, exposed Shellshock issues.
Fortunately, organizations with solid PCI DSS compliance programs should already have several measures in place that would identify and correct this problem. First, the regular vulnerability scans required by PCI DSS should detect the presence of Shellshock on cardholder systems and provide instructions for remediation. Second, PCI DSS 6.2 requires merchants to apply critical security patches within one month of release. Shellshock patches became available in late September 2014, so those patches are already available. Organizations compliant with PCI DSS 6.2 should already have protections in place that correct the Shellshock vulnerability.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out how to meet PCI DSS requirement 6.6 and keep down costs
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.