CISA has officially issued 23-02, the first binding operational directive (BOD) of 2023. The directive aims to secure misconfigured networked management interfaces – “a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself.”
BOD 23-02 focuses on mitigating risks from internet-exposed management interfaces. This increased focus on the security of an agency’s connected assets is encouraging. Knowing these assets exist is critical, but the next step is having a deep level of intelligence about each device, and the dependencies and interactions between all devices. This helps expose vulnerabilities within an environment.
Within the directive, CISA breaks down how it defines a ‘networked management interface.’ But regardless of how CISA defines these assets, it’s critical that agencies understand network-connected assets include a range of technologies (hardware and software), such as IT, OT, cloud, ICS, and more.
Further, there are two main categories under this umbrella of connected assets – those that are managed and those that are unmanaged. Managed assets, like PCs and mobile devices, have a managed security agent already installed. Unmanaged assets, such as security cameras and HVAC systems, have internet connectivity and operate on agency networks, but have no managed security agent.
The number of unmanaged assets alone is projected to surpass 50 billion devices by 2025, so it’s critical that agencies and security teams gain full asset visibility into these more “hidden” assets alongside managed assets, given the extended attack surface created by these technologies. If left unchecked, unmanaged devices create visibility gaps, blind spots in the network, ultimately introducing opportunities for exploitation and business impact.
These concerns are anchored in recent, real world events, as we’ve seen an increase in recent attacks and reported vulnerabilities. For example, a number of federal agencies recently fell victim to cybercriminals’ exploitations of the MOVEit Transfer tool vulnerability. And Censys revealed that hundreds of devices on federal networks are still in direct violation of this new BOD. These issues further underscore the urgent need to conduct investigations to fully account for all assets on agencies’ networks.
With each new initiative and directive over recent years, the Government has continued to lay the groundwork for the continuous monitoring of federal computer systems and the improved mitigation of vulnerabilities discovered. At Armis, we applaud these moves and look forward to supporting our federal clients in reaching compliance. The Armis Asset Intelligence and Security Platform helps government agencies meet the requirements of BOD 23-02 almost immediately.
You can’t protect what you can’t see. One hundred percent visibility is essential for fully understanding – and securing – an agency’s total and growing attack surface.