A new industry group is looking to tackle security issues in end-of-life and end-of-warranty networking hardware and software.
The U.S.-based Center for Cybersecurity Policy and Law this week announced the launch of the Network Resilience Coalition brings together networking hardware, software, and service providers, with an initial goal of addressing the problems of unpatched and unpatchable networking gear in companies around the world.
Initial members of the group include AT&T, Broadcom, BT, Cisco Systems, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, and VMware, and the group has said it’s open to other networking players joining the ranks soon.
In a webinar announcing the Coalition, Ari Schwartz, coordinator of CCPL and managing director of cybersecurity services at Venable, said the group would look to develop “practices and policies to manage security threats better,” with the first target being the significant number of “routers, virtualization software and firewalls with patches available but for various reasons unpatched” creating an easy option for attackers. These unpatched products in networks worldwide amount to “a veritable buffet of options” for those looking to attack networks, said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security.
“We need to figure out a way to make it easier, frictionless and scalable to upgrade to supported versions [of networking hardware and software,]” Goldstein said. “That’s the only way out of this problem.”
He said the group would aim to find ways to “dramatically drive down the presence of end-of-life and end-of-warranty equipment in a way that minimizes the burden of figuring out which products are end-of-service and how to upgrade them.”
Schwartz said the group would deliver a report by the end of the year outlining the problem with unpatched gear and will develop other areas of focus for improving overall network security globally.
Derek Scholl, senior director of Juniper’s Security Incident Response Team, acknowledged that “it’s not as easy as it should be” to manage aging and sometimes forgotten networking gear in a company’s environment and said the group must look at patching not as a matter of patches being issued, but a matter of “the device being either patched or removed from the network.”
Kathryn Condello, senior director for national security and emergency preparedness with Lumen, acknowledged that the “stacked” nature of networking gear within solutions, applications and systems makes it hard for organizations to be as timely as they should in patching gear. In many cases, simply patching a networking device requires ensuring all the applications that depend on that network aren’t dragged offline by the “fix,” Condello said.
That makes the challenge a daunting one, but one that’s costly. Brad Arkin, chief security and trust officer at Cisco, said the company frequently has customers come to it with problems related to a vulnerability publicly known for more than five years and for which a patch has been available for six years.”
“We’re aiming to do better at this,” Arkin said. “It’s such a lost opportunity because, at the very least, we could have made the adversary work harder.”
Condello noted that solving this problem would be a long-term effort. She acknowledged that patching old gear will be an issue for the next ten years, but ultimately, “we can close the aperture and make it a more stressless environment ten years from now.”
While the group seems to be focused on the enterprise space initially, presenters on the webinar noted the impact of the SOHO market, with Condello mentioning a recent attack that took advantage of “70,000 SOHO routers.”
Networking vendors, Cisco included, frequently work with solution providers around taking out end-of-life gear and getting customers into support, most notably through upgrade incentive programs. But Arkin said the group knew that it needed to “make it easier” for smaller companies and the solution providers that serve them to “know what the right thing to do is, and how to do it,” suggesting the group will be looking to engage the channel as a vital avenue in addressing this challenge.