Jeez, this one hit's from a corner I didn't suspect as likely.
But, rule no. 1 in InfoSec... there's never a dull day in InfoSec... much like in Crypto "WINK, WINK"... Hahaha!
Layer II protocols and especially Cisco's Discovery Protocol (CDP), an information sharing layer that maps all Cisco devices on a network, did not seem to be a likely origin for malicious stuff to me.
Everyone that ever administered in an Cisco switch/router environment will very likely have used CDP which is especially helpful for troubleshooting too.
The "sh cdp neighbors" command for instance shows all neighboring Cisco devices with aditonal information like device type, ports and so on.
However see this statement from the linked article...
"“So it’s not an attack that necessarily is coming from the internet,” Seri told Threatpost. “The attacker needs to have some access, but if you have some very low-grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised.”
...and this may sound soothing for a second but when you look at the potential attack surface you understand that this can really be "dramatic".
Often, when you are forced to mitigate on a sub optimal level, the little nasty things tend to maybe add up to a bunch of massive problems.
Managing complexity of a given IT environment is one of the basics in IT operations. But when you throw a bunch of sub par mitigations into the mix you can potentiate trouble.
That's why more isn't more at all in many IT environments.
I always have tried to get the obvious low hanging fruits out of the way as fast and thoroughly as possible.
The leaner and up to date the easier to handle things that "happen" to you when checking your threat maps.
However... check out the article on the found flaws around Cisco's CDP protocol...
https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/
So, what do you think? Is it Ok to have a bunch of "old" mitigations you always have to consider with every step you make down the road? When is the point of "nah, clean redo" reached for you?
Shoot me a comment if you like!
Cheers!
Lucky
That phrase that there is not a boring day in security matters is something that I personally believe enough, every day I read the news of discovery of new failures or vulnerability attacks on very different platforms.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you for your comment!
Actually this was the main reason I was so fascinated by InfoSec. I did a lot of IT operations/infrastructure projects/consulting before I got into this and things had become a little less exciting every day. That won't happen any time soon in InfoSec ;-)
Cheers!
Lucky
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit