Privacy Commissioner battles Bash vulnerability

Australian Privacy Commissioner Timothy Pilgrim is urging government agencies and businesses to protect their IT systems against the Bourne Again Shell (Bash) vulnerability.

Bash runs on many Unix-like operating systems, including Linux, that host websites.

“All entities covered by the <i>Privacy Act</i> must take reasonable steps to protect the personal information they hold. These obligations include regularly monitoring the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information,” he said in a statement.

Patches and software upgrades should be rolled out as soon as possible, said Pilgrim.

He added that businesses and government agencies can refer to the Office of the Australian Information Commissioner’s <i>Guide to Information Security</i>.

The guide provides organisations with the reasonable steps they need to take under the Privacy Act to protect personal information.

CERT Australia said the most important action businesses can take is "to act in accordance with advice from vendors, including the installation of priority software updates."

CERT Australia has released the following tips on its website:

• Patch affected Internet-facing systems at the earliest opportunity, and monitor vendor advisories for further updates.

• Be aware that details relating to the BASH vulnerability and its exploitation are rapidly evolving and should be closely monitored.

• Work closely with security vendors to determine if they have effective detection and mitigation strategies, and application vendors to determine which products are affected.

• Internet-facing systems should be closely monitored for related activity and detected incidents should be reported to CERT Australia.

• Follow good cyber security practices to secure Internet connected devices.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia