CISA, NSA, global partners issue guidance to secure edge devices, enhance network defenses
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with international and other U.S. organizations, released this week guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, IoT (Internet of Things) devices, internet-facing servers, and internet-facing OT (operational technology) systems. The agencies made available three cybersecurity information sheets (CSIs) that highlight critically important mitigation strategies for securing edge device systems.
The published guidance includes ‘Security Considerations for Edge Devices,’ led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada; ‘Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,’ led by the U.K.’s National Cyber Security Centre (NCSC-UK); and ‘Mitigation Strategies for Edge Devices: Executive Guidance’ and ‘Mitigation Strategies for Edge Devices: Practitioner Guidance,’ two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
The guidance offers a high-level summary of existing guidance for securing edge devices from the cybersecurity authorities of partnered countries, including Australia, Canada, Czech Republic, Japan, Netherlands, New Zealand, South Korea, the U.K., and the U.S. It consolidates key practices for effectively managing and securing edge devices.
“Edge devices act as boundaries between organizations’ internal enterprise networks and the Internet; if left unsecured, even unskilled malicious cyber actors have an easier time finding and exploiting vulnerabilities in their software or configurations,” Eric Chudow, a National Security Agency (NSA) cybersecurity vulnerability analysis subject matter expert, said in a statement. “As organizations scale their enterprises, even though securing all devices is important, prioritizing edge device security is vital to defend the many endpoints, critical services, and sensitive data they protect.”
The document is intended for executives within large organizations and critical infrastructure sectors responsible for the deployment, security, and maintenance of enterprise networks, as they provide a high level summary of existing guidance for securing edge devices, with comprehensive recommendations for tactical, operational, and strategic audiences to enhance network security and improve resilience against cyber threats.
Edge devices are critical network components that serve as security boundaries between internal enterprise networks and the internet. The most commonly observed edge devices implemented across enterprise networks include enterprise routers, firewalls, and VPN concentrators. These devices perform essential functions such as managing data traffic, enforcing security policies, and enabling seamless communication across network boundaries. Positioned at the network’s periphery, these edge devices connect an internal, private network and a public, untrusted network like the internet.
“Failing to secure edge devices is like leaving a door open from the internet to internal networks, potentially allowing malicious actors to gain access to networks – from there, they can access sensitive data and disrupt operations,” the CISA said in its document. “If organizations have not applied zero trust principles in their environments, malicious actors can use a range of techniques to gain access through network edge devices. This typically occurs through identifying and exploiting newly released vulnerabilities for edge devices, which have a poor track record for product security. Both skilled and unskilled malicious actors conduct reconnaissance against internet-accessible endpoints and services to identify and exploit vulnerable devices.”
The guide, ‘Mitigation Strategies for Edge Devices: Executive Guidance’ is intended for executives within large organizations and critical infrastructure sectors responsible for the deployment, security, and maintenance of enterprise networks. It outlines seven key mitigation strategies for managing and securing edge devices within traditional network architectures, including Know the edge, Procure secure-by-design devices, Apply hardening guidance, updates, and patches, Implement strong authentication, Disable unneeded features and ports, Secure management interfaces, and Centralize monitoring for threat detection.
The guidance emphasizes the importance of thorough evaluation before procuring any edge device. Organizations must assess both the manufacturer—including its country of origin—and the product itself to ensure that all potential security concerns have been identified and adequately addressed. Opting for technologies developed using secure-by-design principles can significantly enhance an organization’s ability to build a resilient enterprise network. Such networks are better equipped to maintain confidentiality, integrity, and availability while reducing the risk of costly security incidents.
Additionally, organizations are advised to prioritize labeled or certified products, such as those bearing the JC-STAR label in Japan, as these certifications indicate that the products meet established security standards and incorporate appropriate protective measures.
Moreover, the authoring agencies call upon edge device manufacturers to adopt secure-by-design practices in their product development processes. This proactive approach strengthens the security posture of the devices, while also supporting the goal of fostering a more secure and trustworthy digital ecosystem.
The document also identified that network segmentation and segregation are critical to safeguarding an organization’s environment by limiting potential pathways for unauthorized access and lateral movement within their networks. By isolating sensitive systems, this approach strengthens defences against cyberthreats, minimises the impact of breaches, and ensures resilient operations across interconnected systems.
It also addressed gateway hardening to help organizations design, procure, operate, maintain, or dispose of gateway services. A gateway is a boundary system that separates different security domains and allows an organization to enforce its security policy for data transfers between the different security domains. Partnered cybersecurity authorities strive to assist organizations in addressing cybersecurity challenges and making informed risk-based decisions to enhance gateway security.
It also acknowledged that edge devices play a key role in modern smart infrastructure, where they serve as critical connection points that support data flow and communication across smart technologies. It also took into account that edge devices will eventually become legacy hardware, or End-of-Life (EOL), when software is no longer supported or updated by the manufacturer. Edge devices that have reached EOL, especially those no longer supported by manufacturers, can be more vulnerable to cyberthreats. It is crucial to upgrade software to supported versions or replace edge devices that have reached EOL to ensure that they remain secure against cyberthreats.
The document also detailed that once malicious actors have established a foothold within a network, they can use living-off-the-land (LOTL) techniques, which involve leveraging built-in tools and system processes to achieve their objectives. This makes it difficult for network defenders to differentiate malicious activity from legitimate activity. To defend against these techniques, it is crucial to have comprehensive event logging and network telemetry to enable visibility and detect threats. Where compromises occur, or are suspected to have occurred, robust logging will help organizations monitor for threats and intrusions.
The companion guide, ‘Mitigation Strategies for Edge Devices: Practitioners Guidance,’ is written for operational, cybersecurity, and procurement staff and provides an overview of what edge devices are; risks and threats to them; relevant frameworks and controls by some of the authoring nations; and a more in depth discussion on the seven mitigation strategies.
Additionally, the report includes a case study of a successful exploitation to show how malicious actors compromise edge devices when they are not secured properly and to highlight further how edge devices are critical to the security of a network.
Expanding on the other reports, the ‘Security Considerations for Edge Devices’ guidance details threats to edge devices from common malicious techniques and ways organizations can reduce the risk of compromise with mitigation recommendations.
The publication also outlines factors organizations should consider when evaluating the security of edge devices, along with recommendations for edge device manufacturers to improve the built-in and default security of devices they produce. Despite significant advancements in cybersecurity measures and improved visibility into network infrastructures, edge devices remain highly vulnerable to compromise. This risk primarily stems from inherent vulnerabilities in the devices themselves and the configuration of the network (including gateway) architecture.
Some of the key factors that organizations should consider when evaluating the security of an edge device include design and manufacturing where the responsibility of the manufacturer to ensure the device is built with security in mind; configuration of a shared responsibility between the manufacturer, which should provide vendor hardening guides, and the organization implementing the device; and maintenance, wherein the timeliness of applying the most recent software, firmware, operating system, and security updates and patches. Addressing these factors is critical to mitigating risks and enhancing the overall security posture of edge devices within an organization’s network.
In September, the NSA, in collaboration with the Federal Bureau of Investigation (FBI), the U.S. Cyber Command’s Cyber National Mission Force (CNMF), and international allies, has determined that cyber actors linked to the People’s Republic of China (PRC) have established a network of compromised nodes, known as a ‘botnet,’ intended for malicious activities.
Using these botnets, the hackers compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and IoT devices. The hackers may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted U.S. networks.
link
