CISA Issues Comprehensive Guide to Safeguard Network Edge Devices
At Blackwired, we have repeatedly stressed the dangers faced by network edge devices, including routers, firewalls, VPN gateways, IoT devices, internet-facing servers, and industrial operational technology devices. In recent years, threat actors have taken advantage of increased knowledge-sharing capabilities to leverage zero-day vulnerabilities against these edge devices, facilitating a whole new set of attack vectors that do not require social engineering or, in some cases, any significant technical skill. Protecting these devices has become a top priority for security personnel, and CISA, in partnership with the Five Eyes alliance, has provided new instructions in what steps to take to ensure that protection.
Four documents have been released in total: Security Considerations for Edge Devices, Digital Forensics Monitoring Specifications for Products of Network Devices and Applications, and Mitigation Strategies for Edge Devices: Executive Guide and Practitioner Guidance. While full consultation of these documents is strongly recommended, we will provide a summary of the documents here to give a broad picture of what they instruct.
Security Considerations for Edge Devices is a document created by the Canadian Centre for Cyber Security (CCCS) that provides real world examples of edge device compromise to demonstrate in practical terms how such subversion occurs. The document covers misconfigurations, vulnerability exploitations, denial of service, and web application compromise. Given examples include the FortiOS vulnerability exploited by Volt Typhoon in 2024. The document also provides several basic recommendations for how to strengthen edge devices, such as implementing centralized logging and requiring multi-factor authentication for all administrative access.
Digital Forensics Monitoring Specifications for Products of Network Devices and Applications is a document created by the United Kingdom’s National Cyber Security Centre (NCSC-UK). The document is oriented towards security personnel and investigators and is mainly focused on data collection necessary to correctly monitor the security posture of edge devices. The document is primarily focused on implementing stronger logging standards, given that most edge devices lack the kind of logging process necessary to detect intrusion. Examples of data that need to be logged include authentication, technical support events, process creation, file system creation and modification, and dynamic loading and unloading of modules and libraries. All of these could be valuable signs of intrusion. The document also argues for the use of security information and event management (SIEM) tools to maximize endpoint protection.
Mitigation Strategies for Edge Devices is a set of two documents created by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). As the name implies, the documents mainly focus on principles of edge hardening and reducing risk from network devices. The executive side mainly covers high level decisions that can be taken towards this end, including the prioritization of secure-by-design devices in procurement, applying vendor specific hardening guidance, and compliance with various national cybersecurity frameworks, including Australia’s Essential Eight maturity model (E8MM).
By acting in accordance with these documents, enterprises and security personnel can greatly mitigate their risk of edge device compromise. It is therefore recommended that users study them thoroughly. Even users in unrelated fields will benefit from understanding the risks involved.
