Why You Need to Run a Vulnerability Assessment
Running a vulnerability assessment is fundamental for any organization. When an administrator is in the process of securing his network, there are a lot of things he needs to bear in mind. Unfortunately, when it comes to network security most stop at patch management and antivirus software. Little do they know that they also need to check configurations, known issues in third-party applications, as well as potentially troublesome hardware that in their default configuration can be harmful to the network’s security. These processes are what constitute a vulnerability assessment.
Why is a vulnerability assessment indispensable for the security of your corporate network?
Once you secure your network by fully patching it and deploying antivirus solutions, hackers might still be able to exploit a number of misconfigurations. Below is a list of general issues one might find in a typical operating system installation:
- Unnecessary open shares
- Unused user accounts
- Unnecessary open ports
- Rogue devices connected to your systems
- Dangerous script configurations
- Servers allowing use of dangerous protocols
- Incorrect permissions on important system files
- Running of unnecessary, potentially dangerous services.
Apart from these misconfigurations, when running a vulnerability assessment on your network you might find several security issues with a wide range of software and hardware including:
- Default passwords on certain devices
- Unnecessary services running on some devices
- Running web services that contain known vulnerabilities
- Dangerous applications such as peer-to-peer applications
- Third-party applications that are a vulnerability to known exploits.
Some vulnerability scanners will also look for signs of known malware based on the computer’s behavior rather than actually scanning the files for known malware signatures. In some cases, this approach can help uncover issues that an antivirus might miss, especially if that malware is being protected by a rootkit.
It is important to note that each of the issues mentioned above can jeopardize the network’s security even if this is fully patched.
Take into account that some systems may still have accounts which belonged to employees who left or were laid off and are still active; such a vulnerability assessment will bring these to light and, until such accounts are disabled, these potentially disgruntled employees can log in your systems and cause havoc.
The same applies to open shares. These are one of the vectors hackers use to spread viruses, especially in cases where such needless open shares aren’t password protected. In some cases, having a particular port open can also be an indication that the system is running a known malware. Most vulnerability scanners will point this out in their scan results.
Rouge devices are a big security concern for companies. From USB drives to wireless access points, these devices can provide an access into your network – intentionally or unintentionally. Monitoring for the existence of these devices is an essential part of securing your network. Dangerous scripts, misconfigured services, and incorrect permissions, can all be exploited by a skilled hacker whose objective is to gain access to his victim’s systems.
Something that is generally overlooked when securing the network is the devices connected to it. Printers, routers and fax machines are generally seen as a minor concern in terms of security. However, some of these devices can be used as a gateway to networks when they carry a faulty configuration or they still use default settings. Some network printers, for example, by default allow unsecured telnet access to them without requiring any authentication. A subset of these will also store a copy of what is printed in their internal storage – something employees can copy even remotely over the internet.
Finally, there are vulnerabilities caused by software. Some web services contain known exploits that allow a malicious attacker to use that script as a gateway to send emails, potentially using your organization to launch spam runs; SQL injection exploits might allow an attacker to get hold of usernames and passwords, or inserting his own username, or even to run code remotely. Likewise the use of applications with known vulnerabilities can open your organization to targeted attacks. Malicious hackers might try to send people malicious payloads targeted at these vulnerable applications that, when triggered, would run the code the hacker would have embedded in the payload sent. When misconfigured, P2P applications can share confidential documents or source codes with the whole world. These applications can be a huge threat when installed on a corporate environment. Even if configured correctly, it is impossible to verify the origin or legitimacy of anything downloaded through their use. Employees using such an application might unknowingly download malware or even illegal material.
Clearly, patch management and antivirus protection are only the first step in securing your network. A good vulnerability assessment is the next logical move. Networks are a dynamic entity, they evolve and change constantly. A vulnerability assessment should be set to run constantly and inform the administrator every time change is detected to make the utmost of network security protection.
All of these back doors into a “secure” system really make you realize just how many moving parts there are in every network. If you don’t have total security, you may very well not have any in the hands of those who have the skills and know-how to get in. Especially with all these high profile hacks being perpetrated by “LulzSec,” now is probably the best time to re-evaluate your entire network security setup.
Hi Tom,
You’re right, its always important to keep in mind that a hacker doesn’t need to get through ALL of your security but only the WEAKEST part. This makes it essential to cover all bases security wise or at least as much as possible depending on your cost, benefit ratio.
One of the more irritating things that novice sysadmins do is the whole “set it and forget it” method of administration…they think they can just set up a server and it’ll manage itself, and that it just needs to be secured while it’s being set up. It’s important to realize that vulnerability assessments need to be done on a regular basis.
With so many malwares, viruses, spywares, and scarewares running around the Internet these days (even Mac PCs are targeted and infiltrated), it’s not only a must to run a vulnerability assessment, it’s also a corporate responsibility (a big hint to Sony PlayStation and Sony Pictures).
In the past, having a vulnerability assessment in place is required only to big multi-national corporations. Today, even small and medium size businesses are following suit. This just proves that when it comes to IT security, size does not matter.
@James
I agree that many admins set servers up and then forget about them, however I believe this is mainly because of lack of faith in themselves rather than any other reason. Some admins are afraid of touching a working system because they fear any changes might cause downtime and subsequently get them into trouble.
What they don’t realize is that by leaving such systems unattended and not installing any security fixes issued since release they are equally risking downtime or even worse consequences in the event of an intrusion!
Vulnerability assessment is as important as the main protection itself. Just like doctors said “prevention is better than cure”. And in a corporate setting vulnerability assessment can make or break a company’s overall performance.
I agree with Luke’s statement. All organizations should have some kind of vulnerability assessment in place especially these days where malwares are spreading and wrecking havoc everywhere. No one is excused.
Securing a network is an endless battle – one little distraction, and all your security is blown to pieces. I agree that vulnerability assessments, or even better – a self-hack test at the end is just the top of the iceberg. These tasks take so much time but without them a network is exposed to all kinds of dangers.
I agree with Rita,
Its always important to keep in mind that all a hacker needs is to find one weakness to compromise a system. As such it is all about you finding that vulnerability before an attacker does. At the end of the day it is that simple.
You should also check legit remote access and the potential ways to abuse it. If you have remote workers, then you have no choice but to give them remote access and this can turn into a huge backdoor.
Hi Artie,
When you need to give remote access to remote workers, depending on the circumstances you have a number of options:
If the employees can be provided with a static IP then connections can be limited to that IP alone.
VPN can help reduce the surface area, especially together with a staging area. For example, if you want to give employees access to a web server and an SQL server it would be better if employees logged into a staging area thats only accepting VPN connections and then connect to those services from there. In such a scenario, only the staging area would be reachable from the outside.
Ensure stronger authentication when connecting from the outside by using a two factor authentication system.
If your employees will be connecting from public places again ensure there is a VPN and I would suggest the use of one time passwords.