The US Cybersecurity and Infrastructure Security Agency (CISA) is requiring federal agencies to secure the network management interfaces of certain classes of devices.
CISA’s ‘Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces’ provides federal agencies with guidelines on securing device interfaces that are accessible remotely, and which are often targeted by threat actors.
“A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems,” CISA notes.
Attackers, CISA explains, have shifted to targeting devices supporting network infrastructures to evade protections that agencies and organizations have implemented to improve their security stance.
“Threat actors have used certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet,” CISA notes.
According to CISA, most device management interfaces are meant to be accessed directly or from management networks, and not directly from the internet, and federal agencies should identify and address insecure or misconfigured interfaces across specific classes of devices.
Such devices include firewalls, load balancers, proxies, routers, switches, VPN concentrators, and out of band server management interfaces (such as iLo and iDRAC) that reside on federal information systems or networks, or support them.
Federal agencies should secure these devices if they use network protocols that allow remote management over the internet, such as HTTP, HTTPS, FTP, SNMP, Telnet, TFTP, RDP, rlogin, RSH, SSH, SMB, VNC, and X11, CISA says.
Web applications and interfaces for managing Cloud Service Provider (CSP) offerings, including APIs and management portals, do not fall under the purpose of the new directive.
CISA will scan for devices and interfaces in scope of the directive, will inform agencies and guide them to address the identified issues, and will update the directive to keep it in line with the changing cybersecurity landscape.
Agencies are required to address issues within 14 days after being notified by CISA, by removing the vulnerable interface from the internet and deploying zero trust capabilities to enforce access control to the interface.
Furthermore, agencies are required to implement controls to ensure that the interfaces on existing or new devices are removed from the internet and only accessible from an internal enterprise network, and that the required zero trust capabilities have been implemented through policy enforcement.
To further assist agencies in implementing the directive’s requirements, CISA has published Binding Operational Directive 23-02 Implementation Guidance.
The document is primarily intended for federal agencies, but CISA encourages all organizations to use it as guidance to secure the network management interfaces of their devices.