Learn from Microsoft's mistakes: Cisco told
The networking giant has been under fire after security researcher Michael Lynn last week outlined how to attack its Internetworking Operating System (IOS) to gain control over and shut down a router.
Lynn's disclosure was based around a flaw in IOS that was patched in April. On Tuesday, AusCERT advised all companies to upgrade their Cisco routers with the latest version of the operating system.
Neal Gemassmer, Patchlink Asia-Pacific vice president, told ZDNet Australia that although patching routers and network hardware is usually far more "labour intensive" than updating desktops and servers, it could be made easier if companies like Cisco developed a Windows Update-type infrastructure and vulnerability reporting mechanism.
"It would be good to have something similar to what Microsoft has done, which is to be more open when vulnerabilities are assessed, having databases against that and having a streamlined way of providing updates. Microsoft has done very well in streamlining the process," said Gemassmer.
Gartner senior research analyst Bjarne Munch concurred with Gemassmer, and believes Cisco will have to make a "concerted effort" to create a robust and integrated patching infrastructure.
"They could learn from the experience Microsoft has gone through -- I don't think anyone would say Microsoft has really solved all the problems either [yet] but they are trying.
"The big difference is Microsoft today and Microsoft of five or ten years ago. They realised that this is a key issue and is making a concerted effort ... Cisco is going to have to make the same effort," Munch said.
Shing Quah, associate telecommunications analyst at research group IDC, said that patching network hardware is currently a "technical challenge".
"With a WAN (wide area network) infrastructure it is possible [to add patches and software upgrades] but it is much more intensive. It's not like software where you can download a patch and then push it out to all users. It's much more time consuming and a bigger technical challenge," said Quah.
On Wednesday, following an alert from AusCERT, ZDNet Australia reported that most organisations rarely patch or update the software on their network hardware, which could result in a significant proportion of vulnerable Cisco routers.
This is especially worrying since after his now infamous presentation, security researcher Lynn said he risked the legal wrath of Cisco and his former employer ISS (Internet Security Systems) because he believed the vulnerability was dangerous.
"It is very serious because right now the mindset is such that nobody really considered this possible -- so nobody had a plan. What is really important is that we get the problem fixed before it is at the level where somebody can write a worm," said Lynn at a press conference in Las Vegas the day after his Black Hat presentation.
Lynn explained that a worm could be designed to "destroy hardware".
"This could actually destroy the routers ability to turn on again ... certain instructions in certain parts of memory in the router tell it how to turn on .... It is one of those rare cases where software can destroy hardware," said Lynn.
Gartner's Munch emphasised that it's not just vendors that should take the blame for the lack of a network hardware patching system because enterprises should be taking the matter more seriously.
"A lot of enterprises have got to look inside as well because they haven't placed a lot of focus on patch management -- you can't say it's just Cisco or Microsoft. These enterprises don't even have their processes in place yet and that is an even more significant issue," said Munch.
Cisco declined to comment when contacted.