"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch (FCEB) agencies to strengthen asset lifecycle management for edge network devices and remove those that no longer receive security updates from original equipment manufacturers (OEMs) over the next 12 to 18 months. The agency said the move is to drive down technical debt and minimize the risk of compromise, as state-sponsored threat actors turn such devices as a preferred access pathway for breaking into target networks."
"Edge devices is an umbrella term that encompasses load balancers, firewalls, routers, switches, wireless access points, network security appliances, Internet of Things (IoT) edge devices, software-defined networks, and other physical or virtual networking components that route network traffic and hold privileged access. "Persistent cyber threat actors are increasingly exploiting unsupported edge devices -- hardware and software that no longer receive vendor updates to firmware or other security patches," CISA said. "Positioned at the network perimeter, these devices are especially vulnerable to persistent cyber threat actors exploiting a new or known vulnerability.""
"To assist FCEB agencies in this regard, CISA said it has developed an end-of-support edge device list that acts as a preliminary repository with information about devices that have already reached end-of-support or are expected to lose support. This list will include the product name, version number, and end-of-support date. The newly issued Binding Operational Directive 26-02,�Mitigating Risk From End-of-Support Edge�Devices, requires FCEB�agencies�to undertake the following actions - Update each�vendor-supported-edge�device running�end-of-support�software to a vendor-supported software version (With immediate effect) Catalog all devices�to�identify�those�that are end-of-support�and�report�to CISA (Within three months) Decommission all�edge�devices"
CISA ordered Federal Civilian Executive Branch agencies to strengthen asset lifecycle management for edge network devices and to remove devices that no longer receive security updates from original equipment manufacturers within 12–18 months. The directive aims to reduce technical debt and lower the risk of compromise as state-sponsored actors increasingly exploit unsupported edge devices as access pathways. Edge devices include load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software-defined networks, and other physical or virtual networking components. CISA created an end-of-support device list with product, version, and end-of-support date. Binding Operational Directive 26-02 requires immediate updates, a three-month cataloging and reporting requirement, and decommissioning of affected devices.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]