At the Defcon conference in Las Vegas last Wednesday, news broke about a vulnerability in Cisco Internetwork OS (IOS) that could allow attackers to gain control of, or shut down vulnerable systems.
Jamie Gillespie, senior security analyst at AusCERT, told ZDNet Australia that the Cisco vulnerability affects the "core of the network and the Internet" and is dangerous because organisations are not in the habit of upgrading their router's operating system.
"This [vulnerability] affects basically the core of network and the Internet. A lot of people take the view that if [the router] is not broken, don't fix it; there is the possibility of a denial of service attack or code being executed on the router -- sometimes it takes a vulnerability such as this for people to update their [router] software," said Gillespie.
Jo Stewart-Rattray, director of information security at Vectra Corporation, said that organisations are "not prepared" to deal with a mass router upgrade because routers have not been the subject of an attack before.
"There is definitely a much more laissez-faire approach to patching routers [compared to PCs] because we have not had a major attack at that level before. There are a lot of companies out there using routers that are no longer supported and long past there use by date," said Stewart-Rattray.
According to Stewart-Rattray, if hackers manage to create an exploit for the vulnerability exposed last week, organisations that have not upgraded could face "long outages".
"Because organisations have felt relatively safe with routing [an attack] would assuredly cause extreme problems. Organisations are not prepared to deal with such an event. I think we could expect to see long outages in some cases because of a lack of preparedness," said Stewart-Rattray.
Robert McAdam, chief executive of security specialists Pure Hacking, said that "poor practice", such as not following upgrade schedules, is common.
"If a business is out of date with their patching, we generally find it on many machines, routers included. The security policy may be written, but it's not necessarily followed. This is poor practice and loops back to vulnerable systems," said McAdam.
Andy Solterbeck, general manager of security products in Asia Pacific for Senetas, said carriers and telcos are most at risk from a potential exploit because upgrading Cisco's router operating system can cause "real problems".
"The problem with the Cisco IOS is that it is monolithic code -- you cannot install components of code you need to take it all. You need to update the complete code base -- for Telco's this is a real problem. Because you cannot pick and choose a fix, you can end up installing new problems or undesired behaviours," said Solterbeck.
Solterbeck said that although Cisco is aware of this issue and is trying to fix it, it is a huge undertaking: "It would be interesting to ask [Cisco] when they thought this problem would be resolved," he said.
When asked about this specific problem, Cisco refused to comment.
The idea that compnaies are " "not prepared" to deal with a mass router upgrade because routers have not been the subject of an attack before."
Is blatently wrong. Routers have been a focus of attacks for years - well over a decade.
There have been large scale warnings from Cisco, the have been in the press often they have featured in Blackhat conferences. This is nothing new.
Most firms can not patch the OS, they have little talent or skill to manage the network and this these are missed. With large scale DoS and DDoS attacks starting in the late 90's and other attacks based on trusted addressing that the router may share, router attacks are not new and are not unknown.
The issue comes to resourcing. If a firm can not even define the roles on the core financial applications correctly as most can not, the router is going to be one of their last concerns.
Craig