Network switch hacking vulnerabilities – the value of encryption certification testing and separated security duties.
200,000 CISCO network switches hacked! Quoting Geetha Nandikotkur for Data Breach Today, “Over 200,000 Cisco network switches worldwide were hacked Friday, apparently affecting large internet service providers and data centres across the world, especially in Iran, Russia, the United States, China, Europe and India.”
This is not the only reported large-scale successfully hacked security vulnerability discovered in network switches and routers. Numerous network devices have been a proven source of security vulnerabilities to hacking and damaging cyber-attacks in recent years.
Encryption security experts have repeatedly warned enterprises and governments that a key reason to encrypt their high-speed network traffic with dedicated (and certified) encryption products is the persistent vulnerabilities of network hardware – the switches and routers. This warning is even more compelling when organisations use these network devices as embedded encryptors – switches/routers with embedded encryption.
The reality is that network switches/routers can expose organisations’ networks to untold damage. When the vulnerability allows an attacker to gain control of the device, the attacker could take control of the network, data routing, shutting down the network and cause enormous business disruption (and expense).
Worse is the case of such a network switch with embedded encryption – relied upon by organisations to protect their data. While the customer believes the network data is safe, the vulnerability may have allowed the attacker to turn the encryption off!
This highlights the valuable benefits of certified high-assurance network data encryption – certified by independent testing authorities and the high-assurance of complete separation of duties.
It is for this reason that security experts recommend dedicated hardware encryptors to protect core IT and network data. And beyond the core infrastructure, equally, the extended WANs’ data should also be encrypted by a separated solution to the network devices themselves.
“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country.”
About 55,000 devices were affected in the U.S. and 14,000 in China; other victims were located in Europe and India, Azari-Jahromi reports.
The hacker attack on Cisco router equipment apparently exploited a vulnerability in software called Cisco Smart Install Client, which allows hackers to run arbitrary code on the vulnerable switches, according to a blog by Kaspersky Lab.
The hackers apparently reset the targeted devices, making them unavailable for reconfiguration and leaving a message that reads: “Do not mess with our election,” displaying a U.S. flag on some screens, Kaspersky Lab explains.
Read the full story from Data Breach here
Implications of low-assurance encryption
With stronger data privacy and security regulations coming into affect, we have started to see a new mandate for encryption. Within the page of legislation and regulations are requirements that encryption should use recognized standards, and that those standards be both robust and effective. The gold standard of emerging legislation, the GDPR, emphasizes that effective encryption should be standards-based and provide end-to-end security.
If you are thinking about using MACsec as a tick in the box for encryption compliance think again. Low-assurance standards (such as MACsec) applied to multi-function network devices are unlikely to constitute a robust and effective solution. Why not? Because encryption key management is typically sub-optimal and arguably doesn’t provide end-to-end encryption security.
Add to this the fact that embedded or multi-function devices do not provide separation of duties (security and data transmission) and do not meet the high security standards demanded by the world’s leading independent testing and certification authorities (FIPS, CAPS, CC, NATO) and it’s easy to see how they would fall short of what the GDPR requires.
In a recent paper Khan Ferdous Wahid asks us to rethink our approach to link security when it comes to large-scale Ethernet networks. He has this to say about MACsec:
“Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec (encryption standard) vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises.”