Don't overlook medium-risk flaws, firms warned

UK companies are getting better at eliminating high-risk vulnerabilities from their networks, but are slackening off where it...

UK companies are getting better at eliminating high-risk vulnerabilities from their networks, but are slackening off where it comes to medium-risk security holes, according to a security audit carried out by NTA Monitor.

The audit, based on nearly 500 regular network perimeter security tests, found that a third of networks had at least 10 flaws, opening them to "considerable risk of malicious attack", the report said.

"The people who go to the trouble and expense to commission penetration tests are probably in the upper quartile of secure sites," said NTA technical director Roy Hills. He likened the situation to locking the front door and turning the burglar alarm on, but leaving the windows open and forgetting to latch the back gate.

The proportion of critical vulnerabilities has dropped, being found in only 3.9% of tests, down from 21% in 2001 and 6% in 2003, but more medium and low-level holes appeared this year, up from 73% last year to 74% this year.

As companies become more efficient at keeping high-profile flaws under control, the presence of more routine problems will become more important, NTA said, with hackers looking for the easiest route of entry.

NTA also believed that virtual private networks are likely to become more of a focus for attackers, which could prove serious, since network managers are under the mistaken impression that VPN servers are less vulnerable than web or e-mail servers.

"There are a lot of VPN vulnerabilities around, but there's a perception out there that because they use strong security, VPNs are invulnerable," said Hills.

NTA defines a critical flaw as one that is well known and gives an attacker control of a system on its own. Medium-level flaws may provide attackers information that could be used to mount a successful attack, could be used in combination with other flaws to gain control of a network, or could allow denial-of-service attacks.

For example, NTA routinely found problems in the way routers were configured, usually routers outside the firewall connecting the company to their ISP. An attack on such a device would not allow access to a network, but could knock the company offline. "If you go back five or 10 years that would not necessarily be a terrible thing, but the net is more business-critical now," Hills said.

Companies cannot afford to allow medium-level vulnerabilities to hang around, Hills said, particularly as the general level of security is constantly rising. "You need to be at least average on security. If you fall below the average, you're going to present a more attractive target."

VPNs can often create a security issue because they are not considered to be vulnerable. Almost every VPN the company has tested was found to have vulnerabilities, and attackers are known to scan for VPN systems, Hills said.

"It is common for customers to say, 'We know our VPN is secure, but we'd like you to test it anyway.' People are surprised when we say we've got user names, received a hash from the VPN server, cracked it and entered the system."

VPN servers also make attractive targets because a successful exploit gives the attacker full access to a company's internal network, behind the firewall. "Normally, even if you breach an e-mail or web server, it's going to put you into a DMZ, not on the internal network," Hills said.

Matthew Broersma writes for

Read more on IT risk management