In the wake of Shell Shock, I’ve seen some vendor advisories indicate that while their product is vulnerable, it’s only through the management interface but everything is okay because if best practices have been followed, the management interface isn’t/hasn’t been exposed to the Internet.

No, everything is not okay. If best practices have been followed, then management interfaces have been locked down to particular IP addresses and not all internal IPs. However, this is still not a guarantee that everything is okay.

With the prevalence of phishing attacks to get a foot inside the network, and the relative success of those attacks, that means you can expect an attack from the inside at some point. Gone are the days where we honestly felt we could keep the bad guys out. Now we know they will get in and it’s a matter of detection and remediation. The faster the better. The game has changed from keeping them out to keeping them from getting anything useful. Since that’s the way the game is being played now, responses like what I’ve been seeing are worrisome. They show that the vendors in question don’t understand the change in the game.