[CDP-development] CISA Issues Directive to Mitigate the Risk from Internet-Exposed Management Interfaces - A Model for Stakeholders

Masse, Theresa theresa.masse at cisa.dhs.gov
Tue Jun 13 08:52:52 PDT 2023 

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Directive, Binding Operational Directive 23-02<https://cisa.gov/news-events/directives/binding-operational-directive-23-02>, that requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.



While this Directive only applies to federal civilian executive branch agencies, the threat extends to every sector and we urge all organizations to adopt this guidance.



Threat actors have too frequently used certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet.



Implementing appropriate controls and mitigations outlined in this directive is a necessary step to reducing unnecessary risk to your network enterprise. Organizations should consider using all available capabilities to automatically identify networked management interfaces exposed to the public facing internet. Examples of such capabilities include CISA's Cyber Hygiene Services<https://www.cisa.gov/topics/cyber-threats-and-advisories/cyber-hygiene-services>.



As always, thank you for your continued collaboration.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image003.png at 01D99DD4.5F0A04E0]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230613/c50a2b4f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 16152 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230613/c50a2b4f/attachment-0001.png>

More information about the CDP-development mailing list