Cisco has updated numerous security advisories to include exploitation warnings. Some of the vulnerabilities that are being actively exploited were patched four or even five years ago. Cisco is urging users to update to patched versions of its products.
- There is no compliance regime or regulation that will give safe harbor to vulnerabilities of CVE severity 9.8 that have gone unpatched for years. If you have some obstacle that has prevented you from patching your Cisco products, show management any of the dozen or so NewsBites pieces we’ve published this year documenting large/business-significant fines levied on organizations that allowed customer data to be at risk due to lack of essential security hygiene such as patching high severity vulnerabilities.
- A finding of failure to employ reasonable data security measures has been used in recent court cases in both PA and NY. A lack of patching critical vulnerabilities falls within this finding. A standard of reasonableness is emerging that speaks to basic cyber hygiene as a test of reasonable security measures – fail the test, be held accountable by the court.
- Make sure you’re patching ALL your Cisco gear. Don’t overlook items “in the field.” While you’re at it make sure you haven’t overlooked lifecycle replacement planning.
Read more in