Reducing your attack surface is more effective than playing patch-a-mole

On June 13, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02. BOD 23-02 is titled Mitigating the Risk from Internet-Exposed Management Interfaces, and requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet, or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

Harsh as that may sound, there is a lot to be said for the strategy of shielding management interfaces from public internet access, or if that’s not an option, to apply every possible access control to make sure that only authorized people have access to the management part of the application.

As we have experienced a few times, applying timely patches is absolutely no guarantee you’ll be safe. Take for example the recent MOVEit vulnerability that was used against hundreds of victims before anyone even became aware of the fact that the vulnerability existed.

And new vulnerabilities are disclosed at a worrying rate. To demonstrate that point, here’s a quick roundup of the ones I looked at just yesterday.

  • Researchers discovered two dangerous vulnerabilities with Azure Bastion and Azure Container Registry that could allow attackers to achieve cross-site scripting (XSS), injecting malicious scripts into trusted websites. Exploitation of the vulnerabilities could have potentially allowed hackers to gain access to a target’s session within the compromised Azure service.
  • Zyxel warned its NAS (Network Attached Storage) devices users to update their firmware to fix a critical severity command injection vulnerability. The newly discovered vulnerability, CVE-2023-27992, is a pre-authentication command injection problem that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
  • VMWare published a security advisory about multiple vulnerabilities in Aria Operations for Networks. Of these vulnerabilities, CVE-2023-20887 was confirmed to be exploited in the wild. Successful exploitation would allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in remote code execution.
  • We reported about ASUS fixing nine security flaws in several router models. Among them were two critical vulnerabilities that could lead to memory corruption, and one vulnerability that could allow a remote unauthenticated attacker to achieve arbitrary code execution.

These are applications and services that we find in many organizations’ networks. Finding the vulnerable instances and applying the patches could be more than a day’s work in some cases.

But, a workaround that would have worked for many of the above is disablingor minimizing the internet facing access.

This supports the warning from CISA director Jen Easterly, who said:

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise. Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”


In a nutshell, the recommendations from CISA to minimize your attack surface are:

  • Remove management interfaces from the internet by making them only accessible from an internal enterprise network. CISA recommends network segmentation to create an isolated management network.
  • Deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself. In other words, don’t rely on the access control of the instance itself, once it’s vulnerable it could be easy to circumvent.

For more information, we encourage you to read the directive. While the primary audience for this document is FCEB agencies, other organizations may find the content useful.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.