Networking infrastructure, and the software and hardware that it consists of, is critical infrastructure of the utmost importance. Failing to protect these systems carries not only a heightened business risk but also a risk to the technologies that our entire society relies on to function. Today, misconfigured or end-of-life products represent a massive attack surface for adversaries, and communication gaps between product vendors and consumers add additional challenges.
To that end, the Network Resilience Coalition makes several recommendations on best practices for both vendors and users of network products. The Coalition believes that any potential additional costs incurred by these practices are outweighed by the downstream mitigation of disruptive or damaging incidents and further justified by the broad impact of increasing network resilience across the board.
The NRC recommends that vendors of network products:
- Align their software development practices with the NIST Secure Software Development Framework (SSDF)
- Provide clear and concise details on product “end-of-life” by providing specific dates, date ranges, and details on what level of support to expect for each date range
- Avoid combining critical security fixes from updates with new features or functionality enhancements
- Consider participation in the OpenEoX effort in OASIS, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.
The NRC recommends that consumers and purchasers of network products:
- Align their product procurement requirements with the above recommendations by favoring vendors that are aligned with the SSDF, that provide clear end-of-life information, and that plan to provide separate critical security fixes
- Increase cybersecurity vigilance (vulnerability scanning, configuration management) on products they elect to rely upon outside of their support period
- Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age
- Consider participation in the OpenEoX effort in OASIS, a cross-industry effort to standardize the way end-of-life information is communicated and to provide it in a machine-readable format.
Coalition members, both vendors and consumers, agree that these recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure. It is the opinion of the group that this is mutually beneficial to all participants of the network product market, and that it also makes major strides in better protecting the critical infrastructure that people rely on for their livelihoods and well-being.
Read Next
Breaking the endless loop and reframing the encryption debate
Encryption advocates and law enforcement are stuck in an endless loop when it comes to debating encryption. It's time for industry and law enforcement to sit down, discuss challenges, listen to one another, and work together to create solutions.
Network Resilience Coalition Offers Recommendations for Improving Network Infrastructure Security in New White Paper
A white paper from the Network Resilience Coalition, an alliance composed of technology providers, security experts, and network operators, offers recommendations on how vendors and users of networking products can improve network security.
Cybersecurity Predictions for 2024
The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.
