Cisco Device Configuration Updates

security-protection-anti-virus-software-60504-60504.jpg

In recent incidents, CISA has observed malicious cyber actors exploiting system configuration files by taking advantage of available protocols or software on devices, such as misusing the legacy Cisco Smart Install feature. CISA strongly advises organizations to disable Smart Install and consult the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration best practices.

Additionally, CISA continues to encounter weak password types being used on Cisco network devices. A Cisco password type refers to the algorithm used to secure a device’s password within a system configuration file. Weak password types are vulnerable to password cracking attacks, potentially giving threat actors easy access to system configuration files. This access can lead to the compromise of victim networks. To mitigate this risk, organizations must ensure that all passwords on network devices are stored with robust protection.

CISA recommends using Type 8 password protection for all Cisco devices to secure passwords within configuration files. Type 8 password protection is more secure than other types and is endorsed by NIST. CISA urges organizations to review the NSA’s Cisco Password Types: Best Practices guide and follow these best practices for securing administrator accounts and passwords:

  • Store passwords using a strong hashing algorithm.
  • Avoid reusing passwords across systems.
  • Ensure passwords are strong and complex.
  • Refrain from using group accounts that lack accountability.

This product is provided subject to this Notification and this Privacy & Use policy.