NOTE: This is Part 2 of a multi-blog post about network compliance.
In Part 1 of this blog series, I introduced the concept of three dimensional (3-D) Compliance, and shared some of the related experience and research data that have shaped my thinking around the topic. It’s clear that we need to improve efforts to establish and maintain compliance, which unfortunately often lag the vulnerabilities that threaten our networks. compliance nirvana is somewhat like the proverbial fox chasing the rabbit around the race track; you’re always trying to keep up and you need the best tools possible so you don’t fall behind.
EXAMPLE – Cisco CVE-2018-0171
To understand the complex relationships of these three dimensions, let’s take a look at a recent serious vulnerability exposed on many Cisco devices. Cisco Common Vulnerability Exposure CVE-2018-0171 was acknowledged by the vendor on March 28, 2018, and had a NIST/NVD severity of 9.8 out of 10—certainly not something you should avoid addressing in your network.
The issue is that an installed tool named Cisco Smart Install is enabled on their devices. It provides a hole for unauthorized access to the device through an unsecured port. Smart Install is not something found in the configuration of these devices, and is commonly used by network engineers to simplify their work. It requires use of Running State show commands to detect this issue. Unfortunately, as is common in a hectic work environment, clean-up after your priority tasks are performed is often skipped. You can read more about this CVE on Cisco’s website: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
This open port provides a method of inserting malicious code on top the device, for example: to cause an indefinite loop to run, causing a DDoS on the affected device.
This vulnerability allows hackers to reconfigure your devices in ways that don’t immediately cause concern… e.g. symptom free, meaning there are no negative symptoms to alert network staff. In effect, this leaves a “door open” for a later attack, such as accessing databases where confidential information is stored.
We are now getting closer to compliance nirvana, but there’s more to this story.
Two CVE Closure Methods in Network Operations Management
Knowing that each company has different response protocols for dealing with CVEs, NOM provides two ways for customers to close the door:
1 – The Micro Focus ITOM Marketplace provides a security and compliance service (subscription available for NA customers, and is included for NOM Ultimate customers). This service provides policies for customers to automatically download and import into NOM. More information about this service can be found here. Customers may also add their company-specific configuration rules to what we supply, for their own unique network needs. This service saves time and resources since the policies are all pre-configured and are automatically downloaded.
2 – Customers can create their own compliance policy to check the running state for Smart Install being enabled—and can disable it as a quick fix. This is a critical option for customers who need to close the vulnerability as fast as possible, then later combine them with standard NOM policies. As you know, triage is an important element of every network engineer’s arsenal of tools.
Summary of 3-D Compliance…
While many network engineering departments have and continue to focus on a single dimension,
3-D Compliance looks at all three dimensions of network compliance - including factoring in what is actually happening on the device now. Not considering interactions between all dimensions can lead to unknowingly leaving your network open to vulnerabilities, resulting in data loss, down-time, and potential penalties.
Have we achieved compliance nirvana yet? No, but, we certainly can employ a model to look holistically at our network security and use tools that help enable it.
In Part 3, I’ll look at how you can maintain your 3-D Compliance over time.
For more information, contact your Micro Focus representative or visit:
Network Operations Management