Top Three Network Vulnerability Findings
Here at BNN we have been performing network scanning services for our clients for two years: long enough to get a sense about trends and observations in the marketplace. We have worked with many different clients in different industries, different geographic areas, and with differing tolerances for risk – big clients, smaller clients, clients who pride themselves on their technical savvy, and clients who pride themselves on their lack of technical savvy. Surprisingly (or sadly), we find the same issues time and again. They are predictable, and likely the same topics we would have seen 10 years ago.
In no particular order, here list of the top three findings in recent vulnerability assessments:
- Mystery boxes: No, these aren’t presents, and they aren’t happy surprises. These are the networked devices we invariably see that are a “mystery” to IT: They aren’t known, nobody knows how they got there, and nobody knows how long they have been connected. While often not malicious, these are the items we see early in the process that cause a lot of scrambling as IT tries to find them and determine how they were connected to the network and when. Good Acceptable Use policies can help remind users of their responsibilities to control what connects to the network. The same goes for port-detection monitoring tools, or system controls that block unauthorized access by port or MAC address. Also, never underestimate the value of walking around your environment to see what is out there; I can tell you from experience that it can be an informative exercise!
- Missing patches: With the advent of automated patch control systems (WSUS, etc.), this is one area I would expect to be vastly improved, but in practice, no. Patches may be downloaded but not applied. Patching may be fine for Windows, but not for Java. Open source software may exist exactly how it was installed in 1999, without the benefit of updates. Nobody wants to suffer through a security incident for want of a readily available patch to address a well-known issue. If you have systems that perhaps are no longer supported but need to remain online for some reason, know the risk, and make sure management understand the risk as well. Make sure your patching regimen is strong and reviewed; never assume that things will work indefinitely. Again from experience I have seen that systems break and continuity is never assured!
- “Rogue apps”: I think of these as similar to “user-generated content” – applications that were installed by users to fit a need at a particular time, without IT input or support. These may be apps or services; increasingly, we see both. “Rogue apps” are similar to “mystery boxes,” often missing any updates since initial installation. In environments without strong local administrator controls to prevent anyone from downloading and installing apps, this can be a big, big problem. Obviously, the best practice is to prevent these in the first place, through education and policy, and also through periodic scanning. If your users can install Google Toolbar, assume that they can download something more malicious as well!
While this is supposed to be a ‘Top 3’ list, there is one more observation we can’t ignore: the problem of poor network hygiene. This includes system accounts that are active, but no longer used; IT using the admin account as a service account; and failure to delete unused accounts and services for no sound reason. Don’t be lazy! Good practices yield good results; tackle the easy stuff and leave plenty of time for the real challenges you will face.
If you have any questions regarding potential network vulnerabilities, please contact your BNN advisor at 1.800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.