Networking vendors should avoid combining critical security updates with new features, to make patches easier to understand, prioritize, and implement, says an industry group, which also urges manufacturers to provide clearer details on their products’ lifespans.
The recommendations came in a white paper released Tuesday by the Network Resilience Coalition, a group of network hardware and software manufacturers, IT networking providers, and customers that is trying to improve the security of IT network hardware and software around the world.
The white paper proposes best practices for both product creators and buyers, to boost network security at a time of increasing cyber threats that are seeing not only record numbers of data thefts and ransomware attacks, but also networks knocked completely offline.
In particular, Matt Fussa, Cisco Systems’ chief trust officer, told a press conference accompanying the release of the report, the coalition wanted to address the problem of threat actors exploiting vulnerabilities that manufacturers had issued patches for.
The coalition is confident that increasing the transparency of software updates and having more secure application development processes “will yield substantial benefits in the U.S.” and other nations.
“I’ll make a prediction,” he added: “A lot of the suggestions you see in this paper in three years will be requirements in law both in Europe and the U.S.
“The time to start adopting these practices is now. The time to build a better software development practice, the time to automate patching, the time to adopt machine-readable threat and vulnerability information and consume readable patching information is now.” But, he admitted, “it’s going to take years to adopt this across the economy.”
Still, he added, “rather than looking at this as something we can take in stride, I encourage you all to think about doing this with urgency. Deploying [the NIST] Secure Software Development Framework with urgency, building and giving your customers a software bill of materials with urgency, and frankly, driving security with a sense of urgency because threat actors aren’t waiting.”
Failure to protect network infrastructure not only presents heightened business risks, but also poses risks to the technologies that our society relies on to function, the group said in a news release accompanying the report. “Too often, misconfigured or discontinued, end-of-life products are generating a massive attack surface for adversaries, and communication gaps between product vendors and service providers, as well as additional challenges,” the release says.
In addition to recommending manufacturers automate patching and provide more information on their products’ end-of-life status and level of support, the group also recommended vendors align their software development practices with the NIST Secure Software Development Framework to produce more secure applications, and that they consider participation in the OpenEoX effort, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.
But the group also said IT departments buying network products also can do their part to improve network security by:
• buying from vendors that are aligned with the NIST SSDF, that provide clear end-of-life information and that plan to provide separate critical security fixes;
• increasing cybersecurity vigilance through vulnerability scanning and configuration management on products they chose to rely upon outside of their support period;
• periodically ensuring that product configuration is aligned with vendor recommendations — and increasing the frequency of checking configurations as products age;
• and consider participation in the OpenEoX effort.
The patching dilemma was stated bluntly during a panel discussion accompanying the release of the report. “The problem is, there are still some customers that don’t upgrade” for whatever reason, said Carl Windsor, Fortinet’s senior vice-president of product technology and solutions. “I stlll hear from certain organizations they have a six-month upgrade window,” he added. “They’ll upgrade when they get to that window.”
Manufacturers need to learn why network administrators are reluctant to either patch or patch quickly, Windsor said. Until those problems are solved, he added — including finding ways updates can be installed with zero downtime — manufacturers can’t automate the installation of patches on network equipment. In the meantime, some manufacturers offer other solutions, he added, such as managed services that take products out of the data centre.
Eric Wenger, Cisco Systems’ senior director for technology policy, said separating features from security updates “may be complicated” for manufacturers, because it’s sometimes not clear if a change is a patch, a security update, or a security feature update. If manufacturers unbundle patches from new security features, customer networks may be at different states, which could affect a patch. “That will prove to be an interesting conversation” with customers, he said.
“Managing a network is a really complex task,” said Fussa. “The individual devices are endlessly configurable. They require lots of maintenance. and despite the best efforts of every software manufacturer and hardware vendor in the world, these will continue to be complex systems. The good news is there hope on the horizon” through partnerships like the coalition that work with vendors, customers and governments.
