Digital Version of November/December 2014 Print Edition
Some common network vulnerabilities persist
By Michael Markluec
Browsing the daily news headlines, it is not surprising to read that yet another organization has suffered an IT security breach resulting in the theft of sensitive data. In fact, the increasing frequency of these attacks might lead some to conclude that they are inevitable, and that, despite the best efforts of network administrators and IT security personnel, these attacks can never be completely stopped.
While securing IT networks may often feel like a cat-and-mouse game in which IT security is constantly working to stay one step ahead of the hackers’ latest tricks, government agencies can avoid some basic vulnerabilities which we have found to be common among enterprise networks.
One of the most common vulnerabilities is the incorrect or incomplete deployment of Intrusion Prevention / Detection Systems (IPS/IDS). In the majority of cases, the organization had not realized that a network segment in question existed or could be accessed without network traffic first passing through the IPS / IDS. To avoid this vulnerability, IT organizations need a comprehensive security strategy that includes technology which can proactively map the network and identify overlooked segments so they can be incorporated into the IPS / IDS system.
Related to the issue of poor deployments of IPS/IDS is the failure of vulnerability management (VM) tools to discover and probe all devices on all segments of a network. Many organizations have deployed VM tools to probe each device connected to the network, assuming that the tools can find all existing networks. In reality, vulnerability management tools, when used without network discovery technology, only evaluate devices for which an IP address can be obtained from a domain name server, or manually from the user of the tool. In addition to this limitation, VM tools do not identify the network perimeter or analyze connectivity to other networks. The risk is that, if a device is not included in the domain name server and the user is not aware of its existence, the device remains unknown, unmanaged and unsecured.
Non-traditional IP devices pose another potential vulnerability, because they go far beyond the routers, printers and desktops of the past. Today, they include smart phones, point-of-sale (POS) devices and medical equipment, all of which generally require an IP address and network connectivity to function properly. As endpoints on enterprise networks, however, they often go unmanaged or unsecured and can potentially be exploited as unmanaged points of entry to the network.
Surprisingly, there are often many devices on an enterprise network which continue to respond to default credentials. For instance, a 2009 data breach investigations report by Verizon Business indicates that “more criminals breached corporate assets through default credentials than any other single method in 2008.” The same report found that “51% of the victims [of data breaches] were using vendor default passwords on systems that handle sensitive data.” External attacks exploit these vulnerabilities and gain access to networks through these weakest points of entry. Once an attacker gains access through SNMP, it’s possible to impersonate a trusted system, essentially operating “under the radar” to intercept sensitive data transmissions and even redirect network traffic -- often without triggering an alert from the existing security mechanisms because the unmanaged connection goes undiscovered in the absence of comprehensive, active network discovery. As a matter of policy, network administrators need to ensure that the vendor default passwords are changed on every device.
Unauthorized wireless access points (WAPs) present another common source for network vulnerabilities. Wireless devices are an increasingly essential part of the way companies operate in remote offices and retail locations, but if not properly secured, they can provide unrestricted access to the larger network infrastructure. Network security tools that only look at a fixed range of network addresses frequently miss rogue WAPs operating outside the expected IP address range and, therefore, can only be detected by network discovery tools capable of finding and identifying every point of access into or out of a network.
The presence of these common vulnerabilities demonstrates that enterprise networks would benefit from the addition of solutions that discover all devices, network segments and connections that ensure the security tools currently implemented on those networks have been properly configured.
Michael Markulec is chief operating officer of Lumeta, makers of IPsonar, a network discovery, mapping and network leak detection solution. Markulec can be reached at: