CISA Pressures Federal Civilian Agencies to Secure Network Devices – Source: securityboulevard.com

Last week, the Cybersecurity & Infrastructure Security Agency (CISA) put federal civilian agencies on notice that they were expected to secure network devices within 14 days of discovering they had been exposed on the internet.

Binding Operational Directive 23-02, the agency’s first BOD of the year, is aimed at network devices that have routers, firewalls, proxies and load balancers and other internet management interfaces that give users network admin access.

“In a world where cybersecurity threats are becoming increasingly sophisticated and damaging, this directive signifies a vital step toward minimizing the attack surface available to threat actors,” said Craig Jones, vice president of security operations at Ontinue. “By focusing on the management interfaces that are often overlooked but integral to network infrastructure, it helps to fortify the defenses of federal information systems against potential attacks. It’s a targeted, strategic move, aiming to harden the security of the critical infrastructure that underpins federal operations.

And if there was any doubt that the agency means business, it gave the BOD teeth, promising to conduct scans to identify targeted devices and alert agencies.

The directive does not target web apps and interfaces like APIs or management portals that agencies use to manage offerings from cloud service providers (CSPs). Instead, it applies only to devices that meet two criteria—they must:

• Reside on or support federal information systems and/or networks that belong to one of the following classes: Routers, switches, firewalls, VPN concentrators, proxies, load balancers and out-of-band server management interfaces (such as iLo and iDRAC).
• Have management interfaces that network protocols for remote management over public internet, including, but not limited to: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Teletype Network (Telnet), Trivial File Transfer Protocol (TFTP), Remote Desktop Protocol (RDP), Remote Login (rlogin), Remote Shell (RSH), Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and X11 (X Window System).

“This concern is not theoretical; threat actors have adapted their strategies to exploit network infrastructure devices, leveraging insecure management interfaces to gain unrestricted access and compromise entire organizational networks,” said Jones. “Popular research tools like Shodan make it incredibly easy to find such devices; there are countless examples of threat actors using these as a staging post.”

“Internet-facing management interfaces for networking equipment are often used by attackers as a route for internal compromise,” Georgia Weidman, security architect at Zimperium, said. “If these interfaces are freely available on the internet, attackers can use default credentials for the devices that have not been changed, guessing attacks against weak credentials and reusing credentials that have been compromised elsewhere and dumped to log into the administrative interface. Getting these interfaces off the internet and restricting access to internal administrators will do a lot to improve an organization’s internet-facing security posture,” she said.

“Though this directive is explicitly limited to networking devices, these are not the only type of devices that have management interfaces. IoT devices and web servers are just a couple examples that come to mind that also often come with management interfaces,” said Weidman.

“These are often deployed on networks or even on the internet without a security audit, leaving these interfaces available to anyone, sometimes even with a default password that can be found in a user manual online,” she said. “While getting network device management interfaces off the Internet is a great step, an organization with a strong security posture should consider all management interfaces on all the devices and software they have deployed.”

To comply with the directive, agencies must not only “remove an interface from the internet by making it only accessible from an internal enterprise network” or, as part of a zero-trust architecture strategy, deploy capabilities “that enforce access control to the interface through a policy enforcement point separate from the interface itself” within 14 days, CISA said, they also must “implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices” are compliant.

The move drew praise from security experts. “Controlling your exposure to the internet is critical to any security posture, the more devices directly accessible, the more chances for threat actors to do their thing. Adopting a zero-trust methodology is a solid option, one that could limit both security concerns directly to the exposed device as well as access to connected systems should that device be compromised,” said Neal Dennis, threat intelligence specialist at Cyware. “A solid zero-trust approach does not solve all security problems, but it definitely helps limit impact should a breach occur.”

“The directive is a very impactful move by CISA that shows they are taking their role seriously,” Dennis said. “All organizations, public and private, should strive to limit their publicly accessible internet footprint. Less exposure equals fewer targets for threat actors which equals fewer devices you need to monitor for initial incursions, giving you more resources to hopefully monitor critical assets.”

For its part, CISA will not only scan for offensive devices and interfaces, it will also offer up a reporting interface and standard templates for remediation plans; review status with agencies and lend technical expertise, work with agency CIOs, CISOs and SAORMs as the process escalates, and within the next two years update the directive in accordance with the changing cybersecurity landscape.

“CISA making this a binding operational directive, and its intent to work with agencies to ensure they adhere to it on a specific timeframe, is a reflection on both the volume and severity of current (exploitable) vulnerabilities present in many IoT/OT systems with internet exposure,” said Bud Broomhead, CEO at Viakoo.

But there are still areas for improvement, Broomhead said. “Where the BOD may be falling short is that it does not direct agencies to improve their focus on remediation of vulnerabilities; other BODs have already addressed part of this problem, but more is needed,” he said. “CISA has added more remediation capabilities to it’s CDM [Continuous Diagnostics and Mitigation] Program, so having BODs related to remediation is likely a next step. Likewise, this BOD should have more focus on compliance and how agencies subject to it will be audited.”

CISA increasingly stressed that it would be taking a more aggressive stance against cybersecurity threats. Addressing remarks by CISA Director Jen Easterly to the Cybersecurity Advisory Committee last week, Joe Saunders, CEO, RunSafe Security, said, “We need a whole-of-country response to the nation-state threats on our critical infrastructure. Without coordination across national critical functions and entities posing systemic risk if compromised, our well-functioning society will no longer be something we can take for granted.”

Saunders questioned government posturing to use purchasing power as a tool to force secure software development. “Striving for transparency is a wonderful idea,” he said. “We need suppliers to share their security posture so buyers are aware of risks. But only buying from customers who meet CISA’s guidelines is a bridge too far.”