Inherent Risk: How Insecure Systems Pose a Threat to Network Security
Joel Alcon | April 10, 2017
A few months ago, Anubis BitSight Labs researchers discovered that millions of low-cost Android phones, many of them in the United States, were vulnerable to Man-in-the-Middle attacks. The backdoor could be exploited through unregistered internet domains that had been hardwired into the Ragentek firmware used in these devices. A hacker with control of the domains could have installed malware bypassing Android’s security protections.
The risk of using insecure systems like these not only puts the end-user at risk of a cyber attack, but it also affects the security of the corporate networks into which the devices connect. According to Cisco’s Visual Networking Index: Global Mobile Data Traffic Forecast Update, there will be 947 million mobile-connected devices by 2020. Given the large number of mobile devices that will likely be used by company employees, it will become important for security teams to identify the insecure systems, especially mobile devices, connected to their network.
No One Likes InfoSec Surprises
Companies are spending more time, money and effort securing their corporate network. In fact, Gartner estimates that worldwide spending on information security will reach $90 billion in 2017, and top $113 billion by 2020. Much of the spending is focused on detection and response, but with so much emphasis on network security, some companies are still shocked to discover insecure systems connected to their corporate networks. What’s more concerning is the lack of urgency from some companies to remediate these issues. For example, BitSight researchers discovered the Ragentek vulnerability five months ago, but today they still find more than 1,200 companies with devices running this vulnerable version of the Ragentek firmware.
Looking Beyond the Vulnerability
Companies with insecure systems run the risk of exposing their sensitive data to cyber criminals. The chances of a successful cyber attack may increase as time passes and the insecure system remains in use on the network. In addition to this threat, insecure systems found on a corporate network may be signs of additional vulnerabilities and questionable security hygiene. What’s concerning is that some organizations go months or years without fixing vulnerabilities on their networks. For instance, in a recent BitSight Insights, Critical Third Parties: Exploring Data Security in the Legal Sector & Beyond, researchers discoverer that nearly 80% of organizations across all industries examined in the report were exposed to Logjam or POODLE, both of which are major SSL/TLS vulnerabilities discovered years ago.
Why This Matters?
According to the ITRC (Identity Theft Resource Center), there have been 392 data breaches already this year (through March 28, 2017), exposing over seven million records. Companies with poor security practices are especially vulnerable to the rising threat of attacks. Considering that insecure systems on a corporate network can be a sign of poor security hygiene, organizations should assess the types devices connected to their networks, paying special attention to insecure systems such as mobile phones with outdated firmware.
If an organization has insecure systems on its network, the information security team should strive to update them or if possible, disconnect them from the network. If a critical third party uses insecure systems and has failed to fix the issue, it could be a sign of other security issues. In this case, organizations should continuously monitor that third party’s security rating and observe whether the rate of insecure systems decreases over time. Organizations that want to reach a mature level of cybersecurity should closely monitor their own cybersecurity posture and implement a third party continuous monitoring strategy to ensure that critical third parties have no signs of insecure systems on their network.