Eleven tech industry leaders across networking, security and service providers launched the Network Resilience Coalition to address the persistent lack of network hardware and software resilience. The alliance is tackling the issue by encouraging timely updates and patching and better communication.
The founding members of this coalition include AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware.
“We’ve seen an increase in government notifications of nation-state attacks on end-of-life and end-of-warranty gear, and software and communications platforms. The targeted technologies include routers, virtualization software and firewalls. These products have all had patches available, but for various reasons, these patches were not applied and were being exploited by adversary governments,” Ari M. Schwartz, coordinator at the Center for Cybersecurity Policy and Law, said during the launch event.
“If we’re going to address the full problem, we all need to work together. And that’s the goal of the Network Resilience Coalition — to work together on recommending solutions that need to be implemented by the software and hardware vendors, the communication platforms and policymakers.”
Eric Goldstein, executive assistant director for the Cybersecurity and Infrastructure Security Agency (CISA), echoed that the effort should be a collaboration between technology vendors and governments worldwide.
“Doing that in a way that minimizes the burden on many of the end-user organizations, particularly those who, in CISA, we called ‘target-rich, resource-poor,’” he said. Goldstein went on to say that those end user organizations carried the burden of figuring out which products were at end of service, then how to fix them without necessarily knowing who to call or having the resources to replace or upgrade those devices. “The adversaries exploit that burden to their advantage,” he said.
By the end of this year, the coalition intends to publish a report that addresses issues related to end-of-life and out-of-warranty equipment in concert on communication platforms and find other similar areas to focus on for the future.
For the report, coalition members will work together to generate actionable recommendations for improving network security that target technology providers, technology users and those responsible for creating or regulating security policy.
In the network security realm, one of the most pervasive issues is the failure to apply patches in a timely manner.
Brad Arkin, SVP, chief security and trust officer at Cisco, noted that there is a type of story that happens all the time where the forensics show that a malicious adversary was able to take control of a forgotten or neglected network device, and the way they did it was by exploiting a vulnerability for which a patch was available, usually years before the attack.
“There’s this sense of missed opportunity,” Arkin said. And “it’s an asymmetric opportunity where a little bit of patching could have prevented a much bigger incident-response process later on.”
He cited an example where Cisco issued a public patch in 2017 and updated the security advisory in early 2018 to show the exploitation of this vulnerability. However, five years later, in 2023, U.S. and U.K. government agencies had to issue a call to action, indicating that many organizations had not taken the necessary precautions.
In another recent example of the ongoing patching challenge, a Bishop Fox study found a critical vulnerability (CVE-2023-27997) that Fortinet initially identified and issued a patch for in June this year, but almost a month later, nearly 70% of the affected firewall devices still haven’t been patched.
“Our devices are all over the place and there might be one that was sold through a partner in some corner of the world and the message is just never going to get to them. I’m interested in what [we can] do to make it more universally understood that those devices can be patched and that by not patching them, you’re exposing yourself to the types of attacks that are going on,” said Derrick Scholl, sr. director, security incident response team, at Juniper Networks.
Scholl also raised the issue of regulation for product providers. Big players like Cisco and Juniper are active in patching and transparency about their end-of-life and end-of-service policies, but he proposed a question: “What about the medium and small players that have no idea what the right thing is, and how can we make the right thing easily understandable to them?”
He noted that there is now an opportunity presented by the coalition to address all these issues. “The unique opportunity we have here is the combination of the vendors making the products, the customers using them, the governments trying to get folks to do the right thing, all in one location.”
MR via Adobe Stock
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!