In our day-to-day work with organizations to discover and address security vulnerabilities, we are finding that the top 4 security vulnerabilities that organizations overlook are:
1. Networked printers. From a network security perspective, printers have outdated firmware and are susceptible to multiple attacks. Aside from potential data loss and espionage, more than one proof of concept exists where a printer is used as a springboard to launch other attacks. To resolve this:
- Make sure printers’ firmware is updated regularly and included in your already established patch cycle.
- Logically isolate printers on restricted network segments, allowing access only to a dedicated print server.
2. Internet of Things (IoT). More companies are accepting traditionally isolated devices (e.g., heating, ventilation and air conditioning [HVAC] controllers, IP cameras]. These have firmware that require regular updates. There are proofs of concept in the wild, including data theft, vandalism and remote compromise. To resolve this:
- Implement firmware updates and patching cycles.
- Isolate these devices into their own network segment, even a jumpbox.
3. Aging infrastructure. Over time, manufacturers such as Cisco end-of-life their products. This means that your network switch’s firmware is often out of date and susceptible to attack and compromise. Purchasing gray market, and/or used devices from auctions increases this risk exponentially. More than one gray market network device has been discovered to have unsigned (compromised) firmware. To resolve this:
- Track your device purchases and know their end-of-support dates. End of sale is usually a precursor to end of support. While tempting, never utilize hardware or software more than a year beyond vendors’ stated end-of-support dates. A best practice is to have your devices budgeted to be replaced before the end of your last support period.
- Know what firmware versions are on your devices.
4. People. People remain the biggest threat to the organization. People take the easiest path, which is usually not the most secure, constantly creating vulnerabilities in organizations. The latest data1 reveal that 70 percent of US employees lack security and privacy awareness. With an employee clicking on malware every 81 seconds in the US,2 is no surprise that cyberincidents that expose sensitive data are spreading, increasing an organization’s risk. Employees should be trained annually, at a minimum. This training should include social awareness and security awareness.
