The Top Five Biggest Network Vulnerabilities

The correct answer to the question "where is my network vulnerable to attack?" is "everywhere." To some extent, that's the nature of the Internet beast; if you have a door open to the world, then it's inevitable that someone will try to open it up. And there's a good chance that they're not doing it just to say hello.

Dan Ingevalson, the director of professional security services at Internet Security Systems, says that enterprises have gotten better at managing security vulnerabilities, but the increasing complexity of networks and network-borne applications make perfect protection impossible. "There is always going to be some level of complexity in a network that will create a network security vulnerability," he says.

Having said that, some open doors are bigger and more common than others. A big part of maintaining network security, says Mark Curphey, senior director of consulting at Foundstone Services, a division of McAfee Inc., is knowing where these vulnerabilities are, and knowing how to plug them up.

Network edge devices: Though well-publicized, worms and viruses continue to be a common and, to some extent, under-appreciated network threat says Yankee Group senior analyst Jim Slaby. "We haven't seen a really big, really pervasive worm like Blaster or Slammer in some time, but they are waiting in the wings," he says. "It's not that people are complacent, but the problem with worms is that they're zero-day exploits. Signature defenses only work against things that you've seen before, or someone has seen before you, and they proliferate quickly."

Although the high-profile worms of the last years have trained network security personnel to respond quickly and apply patches diligently, penetration tests still find perimeter holes --- big, gaping holes, according to Curphey. "You see border routers with their admin interfaces open, so people can manage them from home," he notes. "But so can anyone else."One company left a particularly flagrant open door to its networked printers, despite locking down every other process with a virtual private network (VPN). "The reasoning was that people could print without having to deal with the VPN," Curphey says. "But the networked printers had IP addresses, making them a convenient and undefended jumping off point to the whole network."

Web servers and Web applications: The Web is usually the meeting point between the enterprise and the outside world, and it is here that many organizations leave themselves vulnerable. With Web servers sitting off the firewall in a demilitarized zone (DMZ), they can often be the ideal gateways to internal company processes, according to Curphey.

"Web servers without patches and passwords are frighteningly common," he says. "It's a lack of process, more than anything else. Organizations push these things out and someone forgets to update the software."

According to Ingevalson, three-quarters of hacker attacks are on Web servers, since "that's what's out there." This is particularly dangerous with the proliferation of Web applications.

"Some of the most serious vulnerabilities that we see are related to Web applications," he says. "Attacks have typically moved up into the application layer, and that's one of the hardest things to protect against because there's no one-size fits all solution. The danger, of course, is that Web applications typically connect attackers into your databases, and that can be a huge problem."

Unprotected mobile and off-site endpoints: Even with the edge devices and Web servers locked up, one of the most common oversights is the vulnerabilities that organizations bring inside their networks. Teenagers with zombie servers are becoming less of a threat and, as hacking becomes more criminal, Slaby says, the real hackers are finessing their ways into networks."It's much tougher than it used to be to crack through externally-facing countermeasures," he says. "So the new tactic is to slip in on the coattails of trusted employees."

The problem is that many organizations have inadequate, or completely absent endpoint security policies and tools. While there are initiatives to plug this hole at the OS and NOS level, and a passel of products from startups, the pervasiveness of remote and mobile computing and the tardiness of organizations to adopt thorough compliance verification processes make this, in Slaby's words, "a major, coming problem."

Wireless networks: None of this is helped by the increasing prevalence of wireless networks. You just have to wander the streets of a big city like New York, opening your laptop in parks and cafes, to see how many unsecured wireless networks there are.

"Companies are pretty savvy, but it takes only one person to set up an access point," Curphey says. "Every office has a network jack and a Linksys wireless router only costs $90, or so, at Circuit City. Depending on where that access point is, it can be a big, big problem."

Indeed, Curphey says that unauthorized access point installations, where employees give themselves the greater flexibility of wireless networking, has become frighteningly common. "If it's on the corporate LAN, it bypasses the firewall and the VPN," he says. That can give network miscreants all the opportunity they need to slip in at an undocumented hotspot and wreak havoc.Voice over IP: For all of the potential points of attack on enterprise networks, it's sobering to think that the technological push for Voice over IP [VoIP] has added one more. And it's a vulnerability whose scale we haven't even begun to consider.

"It's a vulnerability waiting to happen," Slaby says. "The only reason why we have seen more news of VoIP exploits is that the technology hasn't yet been that widely deployed."

But VoIP is picking up steam, and with it will come an amazing rash of attacks, Slaby says. "There are a ton of things waiting to happen," he says. "Because it's running on a data network, your IP phone system is vulnerable to all the same kinds of attacks as the rest of the network."

And it's vulnerable to a few more of its own, besides. "Man-in-the-middle attacks, IP telephony spam (dubbed "spit" for "spam over IP telephone"), impersonation attacks to use the phone system for free or to steal personal information --- all of these will soon be commonplace if VoIP security doesn't match the pace of VoIP adoption.

"We'd better be shoring-up traditional data defenses before we depend on VoIP." Slaby warns. "But there isn't anywhere near the awareness that there needs to be. Just as Slammer and Blaster drove the intrusion prevention system market, I'm afraid that there's going have to be something very big to raise awareness of VoIP security."0