Even the best security solutions can become liabilities if not maintained.
Let’s face it; keeping up with the onslaught of security vulnerability warnings can be daunting. In addition to the volume of information, it takes time to certify the patch or image, schedule a maintenance window and roll it out to your production environment and then validate that all the target devices were updated and are still working properly.
It can be tempting to let a software update—or two or three—pass by before updating your network devices. This is a trend we’ve been observing with some of our customers running Cisco IOS (Internetwork Operating System), which is a family of software used on most Cisco routers and current Cisco network switches. Cisco’s research corroborates our findings, too. In the Cisco 2016 Annual Security Report, the Cisco Security research team revealed the results of a one-day scanning and analysis exercise of Cisco devices on the internet and across customer environments. Out of 115,000 tested, 106,000 were found to have known vulnerabilities in the software they were running. In fact, some of the end users in the financial, healthcare and retail verticals were using versions of Cisco software that were more than six years old.
I can tell you from experience that when we receive calls about a malware outbreak or network security breach, outdated security software signatures are almost always involved.
Before you put the next Cisco IOS software update on the backburner, consider a few pointers from Cisco’s Security Vulnerability Policy:
- Cisco Security Advisories provide detailed information about significant security issues that directly involve Cisco products and require an upgrade, fix or other customer action.
- Cisco Security Notices document low- and medium-severity security vulnerabilities that directly involve Cisco products but don’t warrant the visibility of a Cisco Security Advisory.
The point to keep in mind here is that you can get away with not acting on every notice, but all Cisco Security Advisories should be heeded. Cisco generally discloses Security Advisories on Wednesdays, and it releases two scheduled Cisco IOS Software bundles each year—on the fourth Wednesday in March and the fourth Wednesday in September—per its Security Vulnerability Policy.
Getting too far behind on Cisco IOS software updates has other downsides, too. For example, if a new Security Advisory is released with a highly critical vulnerability that may impact hundreds of different products, it will be difficult to identity the impacted devices in a timely fashion. Furthermore, software version control is a best practice while deploying consistent software versions on similar network devices. This improves the chance for validation and testing on the chosen software versions and greatly limits the amount of software defects and interoperability issues found in the network. Limited software versions also reduce the risk of unexpected behavior with user interfaces, command or management output, upgrade behavior and feature behavior. This makes the environment less complex and easier to support. Overall, software version control improves network availability and helps lower reactive support costs. In other words, the extra time and effort invested now will pay off down the road.
Adam Davis, CEO, Next Dimension Inc