“Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Directive, Binding Operational Directive 23-02, that requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
“While this Directive only applies to federal civilian executive branch agencies, the threat extends to every sector and we urge all organizations to adopt this guidance.
“Threat actors have too frequently used certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet.