By Ann Reist
Recently, much attention has been paid to the "Heartbleed" bug that is affecting millions of people worldwide. In the recent Wall Street Journal article: Heartbleed Bug Found in Cisco Routers, Juniper Gear: Encryption Bug Affects Equipment That Connects to the Web they point out that companies like Amazon, Yahoo and Netflix were able to quickly fix the hole, but it is not so easy for device manufacturers.
"Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses. These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said."
One of the primary concerns associated with equipment connected to the Web is the risks from hackers exploiting vulnerabilities. Device manufacturers like Cisco and Juniper would benefit from the ability to automatically send out software and firmware patches and updates to customers to mitigate potential security threats. Following is some guidance on how equipment manufacturers can be vigilant and mitigate the risks.
What device manufacturers can do to reduce the hacker risk and exposure from equipment that connects to the Web:
- For applications that sit at the operating system level use tamper resistant licensing code to help reduce hacks
- Invest the time to reverse engineer your embedded software on the device and make changes at the machine level if necessary and strengthen your protection
- Ensure that the applications on your devices, mobile device management systems and other systems have an easy, automated mechanism for getting the latest security patches and updates out as fast as possible
- Encourage and incent your customers to register their devices
- Encourage and remind your customers to upgrade firmware or software on these devices
- Proactively monitor your devices for application issues
- Monitor and track patch levels so producers are aware of their exposure and to make sure only authorized users are using your applications
- Send software and firmware patches and updates to your entitled customers using secure download URLs that expire
Practical guidance for users of equipment connected to the Web:
- Make sure to review product documentation accompanying your device to understand any security recommendations
- Make sure to register your product to ensure your manufacturer can reach you in the event of a hacking incident
- If you think your device might have been hacked, contact your manufacturer immediately to receive necessary instruction
- If your device requires the creation of a user ID and password, follow manufacturers' recommendations regarding safe passwords
Related blog posts: