IT industry most vulnerable to attacks through VPNs, says report

The IT industry is the most vulnerable sector to network attacks, particularly through virtual private networks (VPNs), according to new research.

The IT industry is the most vulnerable sector to network attacks, particularly through virtual private networks (VPNs), according to new research.

Although most organisations have taken steps to prevent high-level attacks, they are still open to medium and low-level attacks on their data, said the report from NTA Monitor, an internet security testing company.

The NTA Monitor's 2006 VPN Security Report examined the security of the charity, finance, government, IT, manufacturing and utilities sectors.

Of the IT organisations tested, an average of nine vulnerabilities  were found in each. Most of these were classified as low-level risks, but these are not without danger.

"The lower-risk vulnerabilities will allow attackers to gain valuable information which, combined with other vulnerabilities, can lead to a denial of service attack or let hackers view and use confidential data," said the report.

However, the number of medium-level risks identified for the IT industry was above average. Medium-level risks are vulnerabilities that could allow external attackers to disrupt VPN services, or permit users to obtain unauthorised access to the network.

Compared with the other sectors, most medium-risk security vulnerabilities in the IT sector centred on Internet Key Exchange Phase-1 issues.

These refer to the way that security encryption and certification is set up when using IP security-based VPNs. The most frequently discovered Internet Key Exchange Phase-1 problem related to weak encryption.

Roy Hills, technical director at NTA Monitor, said: "There is a certain kudos attached to infiltrating companies in the technical arena, making the IT industry a very attractive target to attackers. It is worrying that organisations many would assume to be the safest do appear to be the most vulnerable."

He added, "These findings indicate that not only do IT organisations need to tighten their policy on IT security housekeeping and its implementation, but that they also need to act on flaws as they are discovered, to minimise the risk of attack."

The report's recommendations include operating VPN connections through a dedicated VPN system, rather than a firewall, and improving encryption and authentication methods.

Network security recommendations

  • Invest in regular independent network perimeter testing
  • Educate and train your staff about internet security issues
  • Have a clear, publicised and up-to-date security policy
  • Configure all systems to a standard security design
  • Maintain awareness of latest threats, flaws and preventative measures
  • Allocate sufficient time and effort to enable prevention of security flaws at all levels
  • Use security SLAs when choosing new internet or managed service providers

Source: NTA Monitor

Read more on IT risk management