An Interactive Guide to Effective Policy Management In Schools
Subscribe

'Shellshock' - a privacy threat for your school?

7/10/14
Resources

The Privacy Commissioner recently urged businesses (including non-government schools) and government agencies to protect their IT systems against the Bourne Again Shell (BASH) vulnerability.  All schools, including non-government schools, should be aware of the BASH bug and its potential to threaten the security of the personal information they hold about students and other members of their school community.

What is BASH?

BASH is a computer program that is installed in the operating system of millions of computers globally.  BASH is derived from an operating system called Unix which allows users to type commands and execute them. BASH is used in many software contexts, including servers, desktops and mobile devices. The bug affects many Unix-based operating systems including Linux and Mac OSX, in particular those that host internet-facing services such as a website.

The bug is a security flaw called 'Shellshock' that can be used to allow unauthorised users to hack into vulnerable servers. Once inside, attackers could deface websites and steal user data.

According to this article published on Vox, whether these computers or other devices are actually vulnerable depends on whether they invoke BASH in an unsafe way.  Vox also states that most Microsoft software does not use BASH so is unlikely to be affected by the bug.

How should you protect against BASH?

Australia’s Computer Emergency Response Team, CERT Australia, advises schools that:

  • they should monitor their software provider's advisories in the first instance, and check the CERT Australia website for any significant updates; and
  • the most important action they can take is to monitor and to act in accordance with advice from software providers, including the installation of priority software updates.

If you are particularly concerned about the security of your school's software, you may also want to ask your ICT manager to begin a software audit to check for vulnerabilities if you have not received any advise from a software provider but you fear that your software may be at risk.

BASH and privacy laws

The potential for the Shellshock bug to allow unauthorised users to access data held on a server means that all schools should be reviewing their physical and ICT security measures to ensure that they are as resilient as possible.

Australia Privacy Principle (APP) 11 requires schools to take reasonable steps to protect personal information from ‘interference’, as well as from misuse, loss, unauthorised access, modification or disclosure. The inclusion of ‘interference’ in APP 11 is intended to recognise that attacks on personal information may not be limited to misuse or loss, but may also interfere with the information in a way that does not amount to a modification of the content of the information (such as attacks on computer systems).

To meet their privacy obligations in light of the potential security risk presented by Shellshock, schools should consider the following risk management steps:

  • assess the likelihood of the BASH bug affecting your systems;
  • identify ways to control the risk of a data security breach presented by the BASH bug e.g. by implementing privacy enhancing technologies;
  • develop a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security e.g. Privacy Policy, ICT Security Policy - or if you already have these policies in place, review them in light of the BASH bug risk; and
  • train staff and managers in security and fraud awareness, practices, procedures and codes of conduct.

Schools should also be aware of what to do in the event that a breach of privacy does occur.  The Office of the Australian Information Commissioner has published a useful guide entitled 'Data breach notification guide: a guide to handling personal security information breaches' which was developed to assist entities who have obligations under the Privacy Act 1988 (Cth) to respond effectively to data breaches.  The guide provides general guidance on key steps and factors to consider when responding to a data breach, including notification of breaches.

Don't panic

Above all, there is no need to panic about Shellshock.  Check with your ICT manager to ensure they are aware of the bug and proceed from there if any vulnerabilities are detected.

 
Share this
About the Author

Xenia Hammon

Xenia is currently a senior content consultant at Ideagen. She also practised as a commercial lawyer, both in private practice at a large, national law firm and in-house at an ASX-listed company.

Resources you may like

Article
Compliance Training Plans: How Can They Help?

I’m often asked by schools, “What training courses are my staff legally required to complete, and...

Read More
Article
Sextortion: A Growing Concern for Schools

Trigger warning: This article references sexual assault, child abuse, and suicide.

Read More
Article
Changes to the Australian Consumer Law – What Schools Need to Know

Many schools rely on standard form contracts to avoid the time and cost of drafting and negotiating...

Read More

Want School Governance delivered to your inbox weekly?

Sign up today!
Subscribe