The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering federal agencies to secure network devices that are exposed to the public internet within 14 days after they have been discovered.
The agency’s Tuesday directive highlights the network management interfaces for devices on federal systems or networks. CISA is specifically focusing on devices - like routers, switches, firewalls, VPN concentrators, proxies, load balancers and out-of-band server management interfaces - that rely on protocols enabling remote management via the public internet, such as SMB, RDP or Telnet. While these management interfaces are designed to be accessed from dedicated company interfaces, they are often accessible from the public internet via these protocols, and that has paved the way over the years for threat actors to gain initial access or move laterally in their attacks.
“As agencies and organizations have gained better visibility of their networks and improved endpoint detection and response, threat actors have adjusted tactics to evade these protections by targeting network devices supporting the underlying network infrastructure,” said CISA this week in the U.S. government Binding Operational Directive 23-02 (BOD), which is a set of security related requirements for federal and executive branch agencies issued by the government. “Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices.”
CISA said that it will scan for these vulnerable devices and interfaces and notify various impacted agencies. Within 14 days of being notified by CISA (or discovering a vulnerable device themselves), agencies must remove the interface from the internet by making it only accessible from internal enterprise networks, or deploy capabilities that create access controls to the interface through a policy enforcement point (that is separate from the interface itself). Agencies should also implement proactive controls to make sure all management interfaces on both existing and newly added devices are secured, said CISA.
“Within 6 months of issuance and yearly thereafter, CISA will submit a report on the status of Federal Civilian Executive Branch (FCEB), pertaining to their compliance with this Directive, to the Secretary of DHS and the Director of OMB,” according to CISA.
After two years, CISA will review and update the directive for reflecting changes in the security landscape and tweak the guidance to help agencies better identify and report the networked management interfaces that they operate.
Daniel dos Santos, head of security research at Forescout, said the recent BOD is a "significant step to help reduce an attack surface" for federal agencies that are being targeted by state-sponsored groups, ransomware gangs and more. According to Forescout research in 2022, routers are one of the riskiest connected devices because they are often exposed online, in addition to having vulnerabilities and exposed open ports, said dos Santos.
"These exposed ports and vulnerabilities – along with attackers’ willingness to exploit them – are the reason for the BOD," said dos Santos. "Network infrastructure devices often serve as entry points for threat actors that can later move laterally to other parts of the network. That is why network segmentation and zero trust are mentioned in the BOD – isolating the management interface of network infrastructure devices and ensuring there is proper access control to that interface can prevent attackers from exploiting these devices externally and then leveraging them internally on compromised networks."
As has been the case with other BODs, CISA hopes that this most recent directive will set precedence for private sector entities to follow as well, though it’s not required for them. Under a BOD in 2021 where CISA developed a catalog of known, exploited vulnerabilities that federal agencies must address, for instance, the agency made the catalog public in hopes that private entity firms would apply patches as well.