DHS released a report this week regarding BOD 16-02. A BOD or Binding Operational Directive is DHS’s way of telling executive branch agencies that they have to do something. Like really.
In this case the issue is that hackers were abusing bugs in Internet routers, specifically Cisco routers. Why Cisco? Because they are the biggest gorilla in the game. If you can successfully attack Cisco, the world is your oyster.
The report dates back to 2016, but it wasn’t released until this week. The bugs date back to 2014 and 2016. Cisco has patched the bugs. Many agencies had not applied the patches. Hence the BOD. Get off your butts and apply the patches.
OK, so what does this mean to you?
In general, your Internet gateway is the drawbridge to your medieval castle. Leave the drawbridge down and the bad guys can get across the moat.
Even in medieval days, the drawbridge was only one defense. Today, the firewall is also only one layer of defense. Still, it is an important layer.
For many businesses (and especially consumers), patching their Internet gateway (router or firewall) and patching their WiFi router (sometimes the same device but sometimes different devices) is not something they do, and if they do, they don’t do it regularly.
All patching is important, but patching any Internet facing device is critical because the attacker doesn’t need to get inside your network before launching the attack. They start from outside and they work their way in.
One important thing to know. At least with Cisco, and probably some other vendors, if you are not paying for an annual support contract, they will not give you the security patches that they have released to fix the bugs that should not have been there in the first place. My answer to that? Pick a different vendor – there are lots. Juniper, Sonicwall, Ubiquiti, Fortinet, Baarracuda, Palo Alto, pfSense. Different vendors make sense for different users, but there are lots of choices.
So what is an Internet facing device?
WiFi Access Points.
Webcams that can be accessed from the Internet.
And likely other devices inside your home or business,
Start out by doing a careful inventory of anything that has a network cable or is connected to your WiFi. Then see which ones of these devices can connect to the Internet. Those are the high priorities.
There is one thing that you can do, going forward. Buy devices that automatically update themselves.
Like the Ring Video Doorbell. There was a vulnerability discovered recently (like in the last 6 months or so). Ring fixed and patched every doorbell ever sold in roughly 48 hours.
The Google Home Wifi controller is another example.
Do your research BEFORE you buy. Ask questions. And, if you don’t get the right answers, move on. Vote with your wallet. Eventually, that will get manufacturer’s attention.
Information for this post came from Federal Computer Weekly.