720-891-1663

Return to list of client alerts

Feds Say: Secure Internet Exposed Network Devices

While this Binding Operational Directive (BOD 23-02) only LEGALLY applies to federal civilian executive branch agencies, you would be wise to follow their advice.

Basically, the directive says that if you have a network device like a firewall or router or anything else, including Internet of Things and Industrial Internet of Things devices that can be managed from the public Internet (say, like, by a hacker in North Korea), if you are one of those agencies, you have 14 days to fix the problem.

There are two ways to fix that – one is annoying and the other is hard. The annoying but relatively easy way is to disable the ability to manage these devices from the Internet. That would mean that you would either need to be on site to manage the devices or VPN in.

Exempted from this requirement are cloud services that must be managed from the Internet. Note that cloud servers from your favorite cloud provider do not qualify as exempt.

What is going to be harder is IoT and IIoT devices that may not have the ability to do this.

The second option is to implement zero-trust (in two weeks) in a way that is controlled by a device that is not the device being managed. I would say that this is basically impossible in two weeks.

We have told clients for years to implement option one.

Even if you are not legally required to comply as part of this BOD, you should.

If you need help with this or have questions, please contact us.

Credit: Bleeping Computer