US government says: Patch your edge devices, or else!

Getting rid of cybersecurity deadwood

In case you missed it, the United States Cybersecurity and Infrastructure Security Agency (CISA) just issued an edict about so-called edge devices.

Tagged with the uncompromising title of Binding Operating Directive 26-02, its stated aim is, “Mitigating Risk From End-of-Support Edge Devices.”

Loosely translated into plain English, any computer hardware or software that’s involved in shoveling data back and forth between your organization’s network and the internet needs to be kept up-to-date with security-related fixes․․․

․․․and if it’s not getting those fixes any more because the vendor no longer supports it, then you need to get rid of it.

The BOD 26-02 order is, understandably, couched in formal and bureaucratic language, but the two immediate milestones in this security journey are as follows:

• Make and submit to CISA a list of all your edge devices within three months. CISA provides a breathless sentence that says, with a touch of circularity, “This includes but is not limited to load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software defined networks and other physical or virtual networking devices that are responsible for routing network traffic and provide privileged access.”
• Identify any edge devices that are already out of support, or will be in the next twelve months, and get rid of them within the next twelve months. In other words, if you have an unsupported router or firewall in use right now, you have twelve months’ leeway to deal with it. But devices that only go out of support a day before the deadline must be replaced by then, too.

There are further requirements, including that, within two years, you’ll need a process that will reliably and continuously identify edge devices on your network that have one year or less of support left, and remove or replace them in time.

This is an interesting and useful start to dealing with the problem that simply testing whether devices on your network have “the latest patches” isn’t enough on its own.

After all, you can set up (only ever do this in a sealed-off virtual machine or a dedicated test network!) a Windows XP or Windows 7 server right now, if you still have the needed installation and update files, and patch it to the point that it is demonstrably “running every available security update.”

No silver bullet

As forceful as this edict sounds, it’s not a silver bullet for improving our collective global cybersecurity.

In fact, it’s really just a starting point to spur us to remove some of the most glaring and irremediable holes from our digital lives.

Firstly, the edict only applies in the US, and even there only to federal agencies.

Contractors aren’t directly covered, but as CISA notes, federal agencies “may need to modify contracts to comply,” which, let us hope, will indirectly force recalcitrant commercial players to get rid of never-to-be-patched-again devices from their networks, too.

Secondly, it currently applies to so-called edge devices only, which still leaves the rest of an organization’s network at risk from a rogue insider, or in danger from an already-compromised computer that can be used as a beachhead for attackers to reach out across the network.

Thirdly, it doesn’t directly address the thorny problem of unscrupulous vendors who use “out of support” as an excuse to make security updates contingent on you buying a whole new hardware product or software service from scratch.

The European Union’s Cyber Resilience Act (CRA) should help to address the third issue above, by requiring vendors to commit to minimum periods of security-related updates and support, and to declare before they sell you their product or service just how long that support period will be.

Let’s hope that this combination of the demands of the US federal IT ecosystem and the rulings of the EU will encourage vendors to comply even if they don’t yet strictly need to, on the grounds that it’s better for those vendors to be ahead right now than to have their sales team stuck behind the 8-ball in the near future.

What to do?

• If you can’t measure it, you can’t manage it. This CISA ruling requires organizations to know how to identify their edge devices reliably, which is a good start. Why not extend that thinking to your entire IT ecosystem, including remote workers, contractors, and other business partners?
• Don’t be afraid of change if the alternative is to slip further into security arrears. If a vendor tries to close a deal or a renewal by insisting that change will be too hard, so you really don’t have a choice, take that as a warning sign. In a free market, you will always have a choice.
• Don’t try to do it on your own if you don’t feel up to it. Find a human-centered security service, like SolCyber, that can not only keep on top of cybersecurity issues for you, but also help you build a positive cybersecurity culture even as you focus on your real business, which is almost certainly not cybersecurity related.

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!