The phrase I think you need to focus on in this article is “end of life”. The Cisco router in question was end of life and therefore no longer capable of receiving security updates or patches*. No level of diligence by downstream corporations or government agencies can defend against upstream entities running out of date and indefensible network components…or can they? A mandatory vulnerability scan or penetration test against the vendor network in question would have revealed this weakness.
Two pieces of advice this morning:
- Maintain your hardware and software investments. IT spends are not forever. Hardware must be updated on a regular basis based on manufacturer support standards. Software must be upgraded and regularly patched. Do not roll the dice. They always eventually come up snake eyes.
- Hold your vendors to a reasonable IT security standard. Require and review periodic testing. build enforceable language into your contracts and SLA’s. You are only as strong as the weakest link in your supply chain!
*Point of clarification – Thank you to @MrJeffMan for reminding me that “end of life” technically means that patches and updates are no longer being developed. Previously developed updates can be applied and special (often expensive) extended support options are often available for purchase.