On August 17, 2016, Cisco announced a high severity vulnerability for Cisco ASA firewalls. The discovery of the vulnerability is an interesting read, but I’ll let them cover the story and not rehash it here. No patch is available yet, but by following IT best practices the risk to your systems will be minimized. As each United Way manages their local network equipment or outsources it to a local vendor, we recommend verifying that the following standards are applied to all systems:
Default passwords are changed on all equipment. SNMP community strings are a type of password, and should never be left with vendor defaults. As SNMP community string doesn’t have the word password in it, they are easy to overlook even with proper policies and procedures in place.
Management interfaces should not be accessible on the public internet. By having the management interface accessible to the world, any vulnerability to it would be exploitable by anyone with internet access. One quick way to test this is to type “What is my ip” into Google, then search that IP address in the search engine Shodan. Ideally Shodan wouldn’t display any results, if it does it might mean that a management interface is publicly available.
Apply all patches to systems in a timely manner. Frequently local network infrastructure gets ignored as it “just works” and is hidden away in a closet (or perhaps behind a desk). Some equipment auto-updates, or can be configured to — and we recommend you configure it to — but always verify that the updates are happening. Network equipment runs software, much like any workstation or server, and most need periodic maintenance.
These standards should be a part of IT policies and procedures followed by local IT staff or managed providers, but if you haven’t verified now is the time to do so. While Upic doesn’t manage the network equipment, we’re happy to advise or assist all United Ways with their technology. Please reach out to the Upic Help Desk by ticket or email.