Your network security is just as important as securing your web site and related applications. Networks, because of the sensitive data they usually give access to, are one of the most targeted public faces of an organization.
Here are the top 5 network security vulnerabilities that are often omitted from typical reviews, and some tips to avoid making the same mistakes.
Network Security Omission #1:
All it takes for an attacker, or a rogue insider, is a missing patch on a server that permits an unauthenticated command prompt or other backdoor path into the web environment. Sure, we have to be careful when applying patches to servers but to not apply patches at all (I often seen missing patches dating back 10+ years) just makes it too easy.
Solution: Follow network security best practices by updating your operating system and any other software running on it with the latest security patches. Too many incidents occur because criminal hackers take advantage and exploit un-patched systems.
Network Security Omission #2:
Weak or default passwords
Passwords shouldn’t even be part of a network security vulnerability discussion knowing what we now know. However, many web applications, content management systems, and even database servers are still configured with weak or default passwords. Who needs file inclusion or SQL injection when the file system or database can be accessed directly?
Solution: Change and test for weak passwords regularly and consider using a password management tool. Implement intruder lockout after a defined number of failed login attempts.
Network Security Omission #3:
Misconfigured firewall rulebases
One of the biggest, most dangerous, assumptions is that everything is well in the firewall because it’s been working fine. Digging into a firewall rulebase that has never been analyzed will inevitably turn up serious configuration weaknesses that allow for unauthorized access into the web environment. Sometimes it’s direct access while other times it’s indirect from other network segments including Wi-Fi – parts of the network that may have been long forgotten.
Solution: Start with your organization’s security policy; one that reflects the current situation and foreseeable business requirements. After all, your firewall rulebase is the technical implementation of this security policy. Review it regularly and keep it relevant. OWASP provides some good guidance on building operational security guides.
Network Security Omission #4:
Phones, tablets, and unencrypted laptops pose some of the greatest risks to web security. Think about all the VPN connections, cached passwords in web browsers, and emails containing sensitive login information that you – and likely everyone else responsible for managing your web environment – have stored on mobile devices. The use of unsecured (and rogue) Wi-Fi via mobile devices is the proverbial icing on the cake.
Solution: Instill clear data management rules for all employees and make mandatory data encryption part of your security policy. This is becoming even more important with employees connecting their personal devices to the corporate network.
Network Security Omission #5:
USB Flash Drives
The dangers of these innocent-looking portable devices have been known for long enough. But still, all that Edward Snowden reportedly needed to walk away from the National Security Agency building with a cache of national secrets was a USB flash drive. USB drives are also one of the most common ways a network can get infected from inside a firewall.
Solution: Have clear security policies regarding personal storage devices including who can use them and in what places. Restrict the computers that can read USB flash drives and help prevent unauthorized access by encrypting the data as soon as it hits the device.
Whether accessible from inside or outside your network, these commonly-overlooked security vulnerabilities are likely putting your web environment at risk today. The smart approach to minimize your risks is to perform in-depth web vulnerability scans and manual analysis like you’ve been doing but also ensure that everything else that touches your web environment has been properly reviewed.
Even in hosted environments where sales and marketing reps are eager to hand over copies of their flawless SSAE 16 reports, you still have to dig deeper. The vulnerabilities are there. Given enough time, someone, somewhere will figure out a way to take advantage of them at the expense of your business. It’s better for you to find these weaknesses first so you can do something about them.
Don’t become complacent. Look at the bigger picture. There’s more to web security than meets the eye.