Network gear firmware patched
Demonstrate that network infrastructure devices are identified, tracked, and updated with vendor-supplied firmware patches in a timely manner according to documented procedures.
Description
What this control does
Network gear firmware patching ensures that routers, switches, firewalls, wireless access points, and other network infrastructure devices run current, vendor-supported firmware versions with known vulnerabilities remediated. Organizations maintain an inventory of network devices, track vendor security advisories, test firmware updates in non-production environments, and deploy patches according to a risk-based schedule. This control reduces the attack surface of network infrastructure, which is often targeted for lateral movement, man-in-the-middle attacks, and persistent access.
Control objective
What auditing this proves
Demonstrate that network infrastructure devices are identified, tracked, and updated with vendor-supplied firmware patches in a timely manner according to documented procedures.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed vulnerabilities in unpatched network device firmware by external attackers to gain initial access or establish persistence
- Compromise of routing, switching, or firewall devices enabling adversary-in-the-middle attacks, traffic interception, or redirection
- Deployment of malicious firmware or backdoors on vulnerable devices leading to covert data exfiltration or command-and-control channels
- Denial of service attacks exploiting firmware flaws causing network outages and business disruption
- Lateral movement within networks using compromised infrastructure devices as pivot points to access internal systems
- Regulatory non-compliance and audit findings due to failure to maintain secure configurations and patch critical infrastructure
- Loss of vendor support and inability to receive security updates for end-of-life network equipment
Testing procedure
How an auditor verifies this control
- Obtain the current network device inventory including make, model, serial number, location, and current firmware version for all routers, switches, firewalls, load balancers, and wireless access points.
- Review the documented firmware patch management policy and procedures, including responsibility assignment, patch evaluation criteria, testing requirements, deployment timelines, and rollback processes.
- Select a representative sample of network devices across different device types, criticality levels, and network segments for detailed testing.
- For each sampled device, access the management interface or console and verify the running firmware version against the vendor's latest stable or security-recommended release.
- Compare the installed firmware versions to vendor security advisories and CVE databases to identify any unpatched critical or high-severity vulnerabilities.
- Review change management records for the past 12 months to verify firmware updates were evaluated, tested, approved, and deployed according to policy timelines.
- Interview network operations staff to confirm awareness of firmware update procedures, vendor notification subscription processes, and emergency patching protocols.
- Test access controls and privilege management for firmware update processes to ensure only authorized personnel can deploy firmware changes to production network devices.
Where this control is tested