New kinds of cyberattacks on networks keep appearing, but the basics stay generally the same. Understanding the broad categories helps you to keep track of the bewildering variety of tricks criminals use to break into networks. New application vulnerabilities keep turning up, but the fact of exploitable bugs has always been there. Schemers devise crafty social engineering tricks, but human carelessness and credulity were facts of life long before computers. A grasp of the big framework of network vulnerabilities helps you to understand how every new threat falls into place.
Penetration testing is an important part of guarding against network vulnerabilities. RedTeam Security experts know the latest tricks and can find out if your network's defenses can hold them off. For a free consultation, call us today at 612-234-7848.
At the broadest level, network vulnerabilities fall into three categories: hardware-based, software-based, and human-based.
Any device on a network could be a security risk if it's not properly managed. Routers and security appliances are the front lines of defense, but they require proper use to work well. They need periodic firmware upgrades, and they should be replaced if patches are no longer available. Devices which IT management doesn't know about pose a risk.
One of the surest ways to break into a network is to gain unsupervised physical access to its devices. It doesn't take long to install malware on it. The intruder can download code from a prearranged location or copy it off a USB device.
The intruder can use the installed application as a backdoor or spyware. It can log keystrokes, attach itself to a logged-in account, or monitor internal traffic.
Personal physical access isn't strictly necessary. Criminals have mailed malicious USB drives as "gifts" to potential victims. Once they're plugged in, they go to work installing malware.
Laptops, smartphones, and tablets are subject to theft. If it automatically connects to a VPN, a stolen device gets the thief inside the network. Any devices which regularly leave the office should be encrypted and have strong password protection.
The network firewall is its first line of defense. It can be a separate box, part of the router, or a virtual device. It should open ports for incoming access only when they're supposed to be. Default configurations sometimes install unnecessary services. Unknown, unmanaged services are security risks. Most machines on a network have no need to run a server, and they shouldn't be able to.
A good firewall protects against blacklisted IP addresses and mitigates DDoS attacks. Many network managers have moved beyond traditional firewalls to web application firewalls (WAFs), which recognize attack patterns and block such requests. They can keep out SQL injection attempts, cross-site scripting, and other attacks. They're also known as next-generation firewalls.
One firewall isn't always enough. Networks with internal servers benefit from segmentation, keeping the machines that hold sensitive information away from the network's edge. A secondary firewall for the protected segment further reduces the chance of exploitable vulnerabilities.
Wi-Fi lets you connect devices easily without any wiring. This convenience is also its vulnerability. A poorly secured Wi-Fi network lets nearby devices connect, getting past the firewall. Some networks set up access points without a password, creating two kinds of risks. First, anyone nearby can gain access. Second, Wi-Fi without a password is unencrypted, and devices are readily available to read incoming and outgoing traffic.
Wi-Fi access points with the default configuration, with a widely used SSID and a password everyone knows, aren't any better. Passwords that are posted on walls for any visitor to read are in the same category. Default settings make it easier to spoof the network's Wi-Fi and lure users to rogue access points. Wi-Fi routers should have unique SSIDs and strong passwords.
"Shadow IT" access points are another security risk. If some areas have poor coverage, employees may connect their own hotspots and not protect them adequately.
Too many devices for the Internet of Things (IoT) are cheaply made and have inadequate security. Such devices are vulnerable points in a network. It's often impossible to configure them or update their firmware. The best solution is to avoid insecure devices and buy from reputable vendors. If there's any doubt, the devices should be segregated into a subnet that has restricted access to the rest of the network and no access to the Internet.
That last category leads into the general problem of unauthorized devices on the network. Employees, just trying to do their job better, sometimes put their own computers on the network or attach devices to them. The IT department doesn't know about them, making it harder to manage the network. They're rarely up to company security standards.
BYOD policies are on the edge. The IT department should set standards for acceptable devices, including software to protect both the device and the network. Allowing just any mobile device to connect, including ones with antiquated operating systems, opens up serious risks.
Other user-owned devices may likewise be acceptable if they serve a work-related purpose, but the IT department should vet them, and their access to the network should be limited. If the network has strong security requirements, even allowing that may be too much.
Regardless of the policy, the IT department should keep an inventory of all devices and their IP addresses. It can't address the security issues in a device it doesn't know is there.
Now we come to the software side of network security. Even a simple network has machines with multiple operating systems and many applications. If any of them have significant flaws, intruders will exploit them and gain access to the entire network. As with hardware, it's impossible to secure what you don't know is there. Leaving applications wide open for anyone to use without limitation makes it easy to exploit flaws.
A common application security problem is outdated software with known vulnerabilities. If it isn't up to date, it's a target waiting for someone to aim at it. Regular network vulnerability scanning can discover these problems so that the IT managers can install the latest security patches.
It's easy to forget about software that falls into disuse but not fully remove it. Plug-ins and add-ons on content management systems are especially prone to this. IT managers should be aware of all software that can be affected over the Internet and either maintain it or get rid of it.
Some software, especially code written in-house, may have problems that aren't easily fixed. They're open to zero-day exploits. Sometimes there is no escape from this risk, but tight access control will limit the danger.
Shadow IT is a problem with software as well as hardware. When employees put software on their machines without going through IT approval, they're likely to create a security risk. The software may be risky by its nature, and most likely no one is applying security patches. Users can even be fooled into installing a Trojan horse that will infiltrate the network.
Ironically, this sometimes happens because IT policies are too strict. If employees can't do what they need by going through channels, they'll find other ways to get their jobs done. IT people should work with employees to find secure solutions to their problems.
Carelessness when configuring software opens the way for security breaches. An application's defaults generally optimize usability ahead of security. Default names for directories, files, and accounts give attackers a head start. Protecting administrative accounts is especially important. Changing the name of each admin account and restricting access to it will keep the chances of unauthorized access low.
Having a virtual private network is valuable. Because employees can access it from anywhere, there's no need to expose internal-use software to the Internet. At the same time, a VPN has its own security risks. Configuring it securely is crucial.
Engineers can manage hardware and software issues, but human ones often seem intractable. People make mistakes. They use weak passwords or don't guard them carefully. They open phishing messages. They click on links to malicious websites. Getting them to understand and follow a security policy is a challenge.
People aren't good at devising strong passwords. They create ones that are easy to guess, and they reuse ones they've previously created. They write them down where others can see them. Software can impose minimum password complexity requirements, but that helps only up to a point.
Multi-factor authentication greatly improves account security. Whether the second factor uses text messaging, a mobile application, or a specialized device, it keeps anyone from breaking in using just password theft.
Password managers encourage users to create hard-to-guess passwords since they don't have to remember them. A password generator and a password manager used together, provide good account protection.
Trickery is a favorite way of breaking network security. Phishing messages, scam phone calls, and lookalike sites are a few of the tricks for making people give up confidential information without knowing it. Security awareness training and testing make employees more alert to such schemes and less likely to fall for them.
Still, anyone can be fooled some of the time. The principle of least privilege reduces the damage when they are. Accounts should have only the permissions necessary to do the job. Only a few accounts should have unlimited access. That way, someone who breaks into an account can't get as far.
Guarding against network vulnerabilities is a complex, full-time job. Every device, every piece of software, and every person on the network can contribute to cybersecurity or be a risk factor. Regular reviews of security policies and practices are necessary. Employees need to be aware of the risks and know how to avoid them.
You need an expert security team on your side to maintain a strong cybersecurity posture. We have the skills and experience to discover the weaknesses in your network, so you can fix them before anyone else finds them. Call RedTeam Security at 612-234-7848 to schedule a free consultation.