IT industry needs to tighten up VPN security, says report

The IT industry is the most vulnerable sector to network attacks, particularly through their Virtual Private Network VPNs, according to new research.

The IT industry is the most vulnerable sector to network attacks, particularly through their Virtual Private Network VPNs, according to new research.

Although most organisations have taken steps to prevent high-level attacks, they are still open to medium and low-level attacks on their data, said the report from NTA Monitor, an internet security testing company.

The NTA Monitor’s 2006 VPN Security Report examined charity, finance, government, IT, manufacturing and utilities sectors.

Of the IT organisations tested, nine vulnerabilities on average were found in each organisation. Most of these were classified as low-level risks, but these are not without danger. “The lower risk vulnerabilities will allow attackers to gain valuable information, which combined with other vulnerabilities, can lead to a denial of service attack or let hackers view and use confidential data,” said the report.

However, the number of medium risks identified for the IT industry was above average. Medium risks are vulnerabilities that could allow external attackers to disrupt VPN services; or permit users to obtain unauthorised access to the network.

Compared with the other sectors, the majority of medium risk security vulnerabilities in the IT sector centred on Internet Key Exchange (IKE) Phase-1 issues. These refer to the way that security encryption and certification is set up when using IPSec-based VPNs. The most frequently discovered IKE Phase-1 issues related to weak encryption.

Roy Hills, technical director at NTA Monitor, said, “There is a certain kudos attached to infiltrating companies in the technical arena, making the IT industry a very attractive target to attackers. It’s worrying that organisations that many would assume to be the safest do in fact appear to be the most vulnerable.”

Hills added, “These findings indicate that not only do IT organisations need to tighten their policy on IT security housekeeping and its implementation, but also that they need to act on flaws as they are discovered to minimise the risk of attack.”

The report’s recommendations include operating VPN connections through a dedicated VPN system, rather than a firewall, and improving encryption and authentication methods.

Network security recommendations

  • Invest in regular independent network perimeter testing
  • Educate and train your staff on Internet security issues
  • Have a clear, publicised and up to date security policy
  • Configure all systems to a standard security design
  • Maintain awareness of latest threats, flaws and countermeasures
  • Allocate sufficient time and effort to prevent security flaws at all levels
  • Use security SLAs when choosing new Internet or managed service providers

Source: NTA Monitor


Read more on IT risk management