[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
New to -02: Software/OS Install, Authorized Access Recovery
2.4.5 Support Software Installation
Requirement. The device MUST provide a means to install new software
versions. It MUST be possible to install new software while the
device is disconnected from all public IP networks. This MUST NOT
rely on previous installation and/or configuration.
Justification.
* Vulnerabilities are often discovered in the base software
(operating systems, etc.) shipped by vendors. Often mitigation
of the risk presented by these vulnerabilities can only be
accomplished by updates to the vendor supplied software (e.g.
bug fixes, new versions of code, etc.). Without a mechanism to
load new vendor supplied code, it may not be possible to
mitigate the risk posed by these vulnerabilities.
* It is also conceivable that malicious behavior on the part of
hackers or unintentional behaviors on the part of operators
could cause software on devices to be corrupted or erased. In
these situations, it is necessary to have a means to (re)load
software onto the device to restore correct functioning.
* It is important to be able to load new software while
disconnected from all public IP networks because the device may
be vulnerable to old attacks before the update is complete.
Examples.
RS-232 The device could support uploading new code via an RS232
console port.
CD-ROM The device could support installing new code from a locally
attached CD-ROM drive.
NETWORK The device could support installing new code via a network
interface, assuming that (a) it is disconnected from all public
networks and (b) the device can boot an OS and IP stack from
some read-only media with sufficient capabilities to load new
code from the network.
Warnings. None.
2.12.15 Support Recovery Of Privileged Access
Requirement. The device MUST support a mechanism to allow authorized
individuals to recover full privileged administrative access in
the event that access is lost. Use of the mechanism MUST require
physical access to the device. There MAY be a mechanism for
disabling the recovery feature.
Justification. There are times when local administrative passwords
are forgotten, when the only person who knows them leaves the
company, or when hackers set or change the password. In all
these cases, legitimate administrative access to the device is
lost. There should be a way to recover access. Requiring
physical access to invoke the procedure makes it less likely that
it will be abused. Some organizations may want an even higher
level of security and be willing to risk total loss of authorized
access by disabling the recovery feature, even for those with
physical access.
Examples. Some examples of ways to satisfy this requirement are to
have the device give the user the chance to set a new
administrative password when:
The user sets a jumper on the system board to a particular
position.
The user sends a special sequence to the RS232 console port
during the initial boot sequence.
The user sets a "boot register" to a particular value.
Warnings. This mechanism, by design, provides a "back door" to
complete administrative control of the device and may not be
appropriate for environments where those with physical access to
the device can not be trusted.