I was reviewing the most recent SANS @RISK Consensus Security Vulnerability Alert and it reminded me of how easy it is to get caught up in the big stuff and overlook the seemingly innocuous when performing Web security assessments.
The @RISK alert lists 69 unique Web-related flaws across numerous platforms. The flaws run the gamut from cross-site scripting to SQL injection to directory traversal to local file inclusion. Sure, some – perhaps many – of these issues are likely not a big deal in the grand scheme of things. But do you know for sure?
One thing I’ve seen over the years is people performing – or scoping for – assessments of their main (often external-facing) Web sites and applications and stopping there. After all, the “less important” sites and applications don’t really house anything of value. Combine that with the fact that many of these systems are only accessible via the internal network where, supposedly, no one’s going to exploit them?
Don’t get me wrong. I’ll be the first guy to recommend that you focus on your most urgent vulnerabilities present in your most important systems. Many organizations have yet to begin to reach that level of security insight and maturity. And unless and until they do, then focusing on the low-hanging fruit is going to have the highest payoff. However, for many others who have things under control, it may be time to take the next step and see what else in your environment is creating risk. This means scanning your entire network – both inside and out – for Web-based systems you might have overlooked. Acunetix Web Vulnerability Scanner’s Target Finder tool is great for this. You’ll likely be surprised at what you find.
On any given network there are often several dozen Web-based systems beyond the highly-visible ones. Think about it – there’s a Web interface on practically everything these days including:
• Network switches
• Wireless APs
• Physical security/data center control systems
• CCTV surveillance systems
• VoIP phones and call managers
• SAN and NAS-based storage systems
• Copiers and printers
…and so on – all of which are sitting on your network waiting to poked and prodded by an external attacker or rogue insider. Looking at the SANS @RISK and similar vulnerability alerts shows that vulnerabilities do indeed exist on these odd systems.
The question is do you know how secure these systems are on your network? Could a Web exploit on a seemingly unimportant system be exposing sensitive information or lead to further system penetration? Odds are in your favor that there’s not much to be concerned with. The only way you’ll know for sure is to scan these systems and perform a manual analysis to verify for yourself.