The “Shellshock” cybersecurity vulnerability has received a great deal of media attention in the past few days. Safeguarding the ethics and compliance data we process for customers is one of our top priorities. We would like to share the measures we have taken to protect our clients and partners from this risk.
Background
“Shellshock” refers to a collection of security vulnerabilities, including those known formally as CVE-2014-6277, CVE-2014-6278, CVE-2014-6721, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 (and others are appearing), which are present in the popular Unix and Linux shell “bash.” Specifically crafted commands sent to an exposed, unpatched server could allow code to be executed on that server. However, we have a number of policies and procedures in place to mitigate these types of ongoing risks.
Review & Mitigation
Upon learning about the vulnerability, we immediately screened each of our customer-facing servers to determine the impact. Our EthicsPoint Case Management, Third Party Risk Management, PolicyTech Policy Management and NAVEX Global Learning Management System (LMS) do not use bash, and are therefore unaffected. IntegriLink Classic and Portal Case Management servers did have the affected versions of bash. In response to this risk, on September 29, 2014, the IT Hosting Team deployed all available patches for correcting the vulnerability, and are applying patches using our emergency change control procedures as new patches become available.
Questions?
Please feel free to reach out to Client Support or to your NAVEX Global sales representative with any additional questions or concerns.
