The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Binding Operational Directive (BOD) 23-02, which aims to mitigate the risk posed by internet-exposed management interfaces. In response to this directive, researchers at Censys have discovered hundreds of devices that need to be secured in order to comply with the requirements.
Censys researchers conducted an analysis of over 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations, examining the attack surfaces and services running on their hosts. Through this investigation, they identified more than 13,000 distinct hosts across more than 100 autonomous systems associated with these entities. Among these hosts, Censys found hundreds of publicly exposed devices that fall within the scope outlined in the directive.
These exposed devices include various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.
The discovery of these internet-exposed devices in violation of the new CISA directive has raised concerns among industry experts. Tomer Bar, VP of Security Research at SafeBreach, noted that threat actors actively target exposed devices with remote management interfaces due to the ease of achieving initial access. Unlike other attack vectors that require action from the victim, exploiting exposed devices does not require any action, making them an attractive target for malicious actors. Bar emphasized the importance of self-checks like network scanning and actively enumerating one’s own network to enhance overall security and protect sensitive data.
Ron Fabela, Field CTO at XONA Systems, pointed out that network device exposure and vulnerabilities have long been a concern for the federal agencies. While the exposure of management interfaces for perimeter devices poses high risks, removing these interfaces from the internet may hinder remote management capabilities and compliance with the directive’s timeline. Fabela suggested implementing zero trust access control as an alternative, but acknowledged that it only addresses security controls of account access, not the vulnerabilities of the exposed remote services. He emphasized the need to reduce the attack surface of critical systems, such as network devices and industrial control, to improve cybersecurity.
Overall, the CISA directive has prompted a response from researchers and experts in the industry. While some express alarm at the number of internet-exposed devices that need to be secured, others recognize the importance of taking action to restrict or remove internet-facing management access. The directive serves as a reminder for federal agencies and public-facing enterprises to prioritize the security of their networks and protect sensitive data from unauthorized access and cyber threats. It is crucial to implement continuous security evaluation processes and stay updated on new vulnerabilities to minimize exposure duration and prevent exploitation.