Networking vendors should avoid combining critical security updates with new features, to make patches easier to understand, prioritize, and implement, says an industry group, which also urges manufacturers to provide clearer details on their productsโ lifespans.
The recommendations came in a white paper released Tuesday by the Network Resilience Coalition, a group of network hardware and software manufacturers, IT networking providers, and customers that is trying to improve the security of IT network hardware and software around the world.
The white paper proposes best practices for both product creators and buyers, to boost network security at a time of increasing cyber threats that are seeing not only record numbers of data thefts and ransomware attacks, but also networks knocked completely offline.
In particular, Matt Fussa, Cisco Systemsโ chief trust officer, told a press conference accompanying the release of the report, the coalition wanted to address the problem of threat actors exploiting vulnerabilities that manufacturers had issued patches for.
The coalition is confident that increasing the transparency of software updates and having more secure application development processes โwill yield substantial benefits in the U.S.โ and other nations.
โIโll make a prediction,โ he added: โA lot of the suggestions you see in this paper in three years will be requirements in law both in Europe and the U.S.
โThe time to start adopting these practices is now. The time to build a better software development practice, the time to automate patching, the time to adopt machine-readable threat and vulnerability information and consume readable patching information is now.โ But, he admitted, โitโs going to take years to adopt this across the economy.โ
Still, he added, โrather than looking at this as something we can take in stride, I encourage you all to think about doing this with urgency. Deploying [the NIST] Secure Software Development Framework with urgency, building and giving your customers a software bill of materials with urgency, and frankly, driving security with a sense of urgency because threat actors arenโt waiting.โ
Failure to protect network infrastructure not only presents heightened business risks, but also poses risks to the technologies that our society relies on to function, the group said in a news release accompanying the report. โToo often, misconfigured or discontinued, end-of-life products are generating a massive attack surface for adversaries, and communication gaps between product vendors and service providers, as well as additional challenges,โ the release says.
In addition to recommending manufacturers automate patching and provide more information on their productsโ end-of-life status and level of support, the group also recommended vendors align their software development practices with the NIST Secure Software Development Framework to produce more secure applications, and that they consider participation in the OpenEoX effort, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.
But the group also said IT departments buying network products also can do their part to improve network security by:
โข buying from vendors that are aligned with the NIST SSDF, that provide clear end-of-life information and that plan to provide separate critical security fixes;
โข increasing cybersecurity vigilance through vulnerability scanning and configuration management on products they chose to rely upon outside of their support period;
โข periodically ensuring that product configuration is aligned with vendor recommendations โ and increasing the frequency of checking configurations as products age;
โข and consider participation in the OpenEoX effort.
The patching dilemma was stated bluntly during a panel discussion accompanying the release of the report. โThe problem is, there are still some customers that donโt upgradeโ for whatever reason, said Carl Windsor, Fortinetโs senior vice-president of product technology and solutions. โI stlll hear from certain organizations they have a six-month upgrade window,โ he added. โTheyโll upgrade when they get to that window.โ
Manufacturers need to learn why network administrators are reluctant to either patch or patch quickly, Windsor said. Until those problems are solved, he added โ including finding ways updates can be installed with zero downtime โ manufacturers canโt automate the installation of patches on network equipment. In the meantime, some manufacturers offer other solutions, he added, such as managed services that take products out of the data centre.
Eric Wenger, Cisco Systemsโ senior director for technology policy, said separating features from security updates โmay be complicatedโ for manufacturers, because itโs sometimes not clear if a change is a patch, a security update, or a security feature update. If manufacturers unbundle patches from new security features, customer networks may be at different states, which could affect a patch. โThat will prove to be an interesting conversationโ with customers, he said.
โManaging a network is a really complex task,โ said Fussa. โThe individual devices are endlessly configurable. They require lots of maintenance. and despite the best efforts of every software manufacturer and hardware vendor in the world, these will continue to be complex systems. The good news is there hope on the horizonโ through partnerships like the coalition that work with vendors, customers and governments.
