A recent survey by a networking integrator found most devices had known vulnerabilities, which one analyst blames on complacency.
Dimension Data Holdings plc of Johannesburg, South Africa recently published a report, titled Network Barometer, based on assessments of 152 clients worldwide. Overall, the company found 73 per cent of networking devices were running with known security vulnerabilities.
Dimension Data, whose services include network assessments, resells equipment made by San Jose, Calif.-based Cisco Systems Inc. The vulnerabilities discovered were software vulnerabilities identified by Cisco’s product security incident response team, according to the report.
Most of Dimension Data’s clients were in the enterprise class, with more than 2,500 users.
In its customer assessments, Dimension Data found many devices were not configured in accordance with “best practices,” such as passwords, said Darryl Wilson, area practice director for Dimension Data Canada.
The enterprises surveyed had an average of 31 “configuration issues” per device, using standards set by Cisco, the U.S. National Security Agency and the Payment Card Industry Data Security Standard (PCI DSS).
“I might be tempted to think that might be a touch on the low side,” said James Quin, senior research analyst at the Info-Tech Research Group of London, Ont. “Networking equipment tends to be pretty set and forget for most organizations, particularly when it comes to switches and routers, because once you’ve built the network, it tends to stay relatively the same,” Quin said. “You’re not changing things on a regular basis.”
Quin added Info-Tech does not have similar data but he “wholeheartedly” agrees companies have configuration issues with their networking equipment. As for Dimension Data’s finding that 73 per cent have known vulnerabilities, Quin said that “sounds a touch high” but he agrees there is a problem due to a larger focus on operating system vulnerabilities.
The Dimension Data survey found that 71 per cent of enterprises had at least one vulnerability identified by the Cisco PSIRT, but nearly 100 per cent of small firms (defined as those with fewer than 100 users) had at least one known vulnerability.
Results also varied by industry. While 61 per cent of service providers and telecommunications firms had known security vulnerabilities, the figure was 92 per cent for automotive and manufacturing and 65 per cent for financial services.
Dimension Data said Cisco’s product security incident response team has identified about 400 vulnerabilities since 1996, which Quin notes is “nothing” compared to the number of operating system vulnerabilities discovered.
“That introduces a sense of complacency. ‘The problems don’t come around very often, you can’t really get to the network easily, so we just won’t worry about it.’ That sense of complacency will sooner or later come back and bite people,” Quin said.
Wilson said Cisco will fix known vulnerabilities in its Internetwork Operating System (IOS) but it’s difficult for users to take advantage of this service if they don’t know what’s on their networks.
Dimension data has found with some users, inventories and drawings are often not up to date.
“If they don’t have an accurate view of their assets, it would be difficult for them have a process to evaluate whether they’re running the proper IOS,” Wilson said. Wilson said security is more important in retail and health care organizations, due to the sensitivity of customers health and financial data.
]“Is the risk that I could have internal hackers come into my environment and somehow gain access to data? One could deduce that,” Wilson said. “If I’m a credit card guy and I have 47 per cent of my devices with configuration errors, am I more at risk to losing sensitive information? I would think so.”