He underscored the CISA and Cisco advice that to mitigate damage, an infected device must be physically disconnected from all power sources, including redundant ones, for at least one minute. This ‘cold start’ clears the volatile memory where the malware resides and disrupts its boot-time persistence.
In addition, Enderle said, network admins should modernize administrative controls by using the TACACS+ (Terminal Access Controller Access-Control System) protocol over TLS 1.3 for access control and authentication of users to network devices like routers, switches, and firewalls.
TACACS+ generally uses a dedicated TCP port, Enderle said, so any firewall rules will need to be updated to take that into account. Cisco devices will probably need the ISE 3.4 patch (or later) to assure that Identity Services Engine supports this protocol. Similarly, other vendors’ guidance should be consulted before switching to TACACS+ to assure interoperability.
