Published on the 08/10/2014 | Written by Beverley Head
Australia’s privacy commissioner has weighed into the Shellshock computer vulnerability issue to remind local enterprises that they must keep on top of computer and data security…
The Shellshock computer bug, or more accurately vulnerability in the Bourne Again Shell (Bash), which has sent software developers scurrying to find fixes and roll out patches has attracted the interest of Australia’s Privacy Commissioner Timothy Pilgrim.
Pilgrim last week weighed into the issue to remind Australian enterprises which are covered by the Privacy Act 1988 that they must take reasonable steps to protect the personal information they hold. “These obligations include regularly monitoring the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information. Where a vulnerability has been identified, patches and software upgrades should be rolled-out as soon as possible,” according to Pilgrim.
He recommended organisations refer to advice posted by Australia’s Computer Emergency Response Team, CERT and follow advice from vendors about available updates.
Patches have been widely released for the problem – so far with varying success. IT service management Kaseya last week suggested a three pronged approach to ensure a comprehensive check of enterprise systems. This involves using a detection script to audit the version of Bash installed on the default path and write it to the procedure log entry on Linux and OS/X machines; running the most up to date test case against Linux and OS/X machine; and auditing systems for all instances of Bash which have been installed.
Dealing with the rising onslaught of computer security problems is a significant and costly issue for all enterprise IT shops.
However it’s a challenge which can’t be shirked. The amended Privacy Act which came into force earlier this year boosted the powers of the Office of the Australian Information Commissioner which can assess organisations’ privacy compliance, accept enforceable undertakings and seek civil penalties of up to $1.7 million if organisations fail to comply.
In terms of determining what amounts to “reasonable steps” as required under the Privacy Act the Commissioner last week recommended enterprises refer to the Office of the Information Commissioner’s Guide to Information Security about the steps needed to protect personal data.