Vulnerable network devices continue to expose customers to data network security breaches! Moreover, many of the vulnerable devices are crucial to operating organisations data networks – routers, switches etc.
- The significance of potential network devices’ security vulnerabilities.
- The hidden costs of software dependent devices.
- Highlights why encryption must be separated from network devices.
And, although the device vendors issue software updates and security patches, the customer is typically left to clean up the mess! It is the customer that needs to plan the maintenance periods necessary to implement software updates and patches across often vast data networks with large numbers of vulnerable devices. All of that takes time and may cause business disruption. And then there are the direct and indirect costs incurred by having to implement the essential fixes.
Commentators have highlighted that many enterprise and government organisations estimate it may take them years to completely catch up with all update and patch releases. Given that many such releases relate to security vulnerabilities, there must be a lot of CIOs that find it hard to sleep at night.
But, of course, organisations that choose to encrypt their networks’ data-in-motion may not lose any sleep. If their encryption solution is a certified high-assurance hardware based solution (well implemented) then the security vulnerabilities of their router and switch fleets are of little concern. In that event should cyber-criminals successfully breach the encrypted network and steal data, their prize is simply useless bits and bytes – meaningless rubbish.
More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability that’s similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.
The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a device’s memory, which can lead to the exposure of sensitive information.
The vulnerability stems from how the OS processes IKEv1 (Internet Key Exchange version 1) requests. This key exchange protocol is used for VPNs (Virtual Private Networks) and other features that are popular in enterprise environments.
Cisco discovered the vulnerability internally after analyzing an exploit for Cisco PIX firewalls that was leaked last month by a hacking outfit called Shadow Brokers. The exploit was part of a larger set of attack tools that Shadow Brokers claimed are being used by a cyberespionage group known in the security industry as the Equation, believed to be linked to the NSA.
Senetas high-assurance security comments
One would be forgiven for thinking that during 2015, and it seems in 2016, IT&T and data security professionals have been alerted more than ever before to a saga of data network devices’ security vulnerabilities.
Whether or not the devices and /or the vulnerabilities have involved business critical network assets and/or highly sensitive data networks, is not the point.
The significance of such announcements and revelations that network devices have been discovered to be vulnerable to specific type/s of cyber-attack is two-fold:
- In many cases the network devices were embedded routers or embedded switches – routers or switches with embedded encryption. They are held out to be security devices to protect the network data. They are obviously held out to be secure. Indeed, they are not – not a security device, nor a secure device. That has become a self-evident fact.
- “Horses for courses”. An old saying but made so true today in the ears of cyber-security and data networks’ security. While embedded try to be the ‘best of both worlds’ they typically fail. But in the very serious world of network data security, the optimal solutions lie in ‘dedicated specialist’ equipment.
Data security experts from a range of backgrounds often comment that there are four essential ingredients for robust data security and they are the essential criteria for network data encryption.
The four essential elements for robust encryption – referred to as ‘certified high-assurance’ encryption are:
- The solution is certified by at least one independent testing authority to a widely accepted standard.
- Secure and tamper-proof hardware dedicated to encryption.
- Uses state-of-the-art Encryption Key Management ensuring only the customer can ever access its encryption keys.
- Authenticated end-to-end standards based encryption – ensuring that no unencrypted data is exposed.
Five years ago, few people knew of the risks to data transmitted across high-speed networks, whether they be copper of fibre optic.
Three years ago, everyone had heard stories about network attacks and the advice that sensitive network data should be encrypted.
Today, the issue is simple – all sensitive data should be protected by encryption and that “near enough is not good enough”; and that solutions should be ‘certified high-assurance encryption’ solutions.