Network misconfigurations cost companies an average of nine per cent of annual revenues, according to a study released by a network security and compliance company.
The research by Titania based on a survey of 160 senior cyber security decision makers across a broad array of government and industrial verticals also warned that misconfigurations that leave a business vulnerable to cyber attacks could be sitting on networks for months or years because of infrequent audits of connected devices.
"Networks can change on a daily basis — typically through planned activity — resulting in configuration drift," says Titania CEO Phil Lewis. "As firewalls, routers and switches are pivotal to the security of all networks, organisations should check all their devices regularly — ideally daily — for misconfigurations, either accidental or deliberate, that could result in critical security risks.
"The fact that only four per cent of organisations assess all their network devices by auditing their switching and routing devices, as well as their firewalls, is inherently problematic and likely the result of a lack of accurate automation capability."
Prioritising risk mitigation of network devices a challenge
The study also revealed that organisations are having trouble prioritising mitigation of risks posed by network devices. It found that 70 per cent reported difficulties prioritising remediation based on risk. They also identified inaccurate automation as a top challenge when meeting security and compliance requirements.
"The tools that many organisations currently rely upon to automate vulnerability detection are failing in making the day-to-day network security checking process more efficient and effective," Lewis says. "It often involves sampling. This ultimately leaves networks exposed to undetected and potentially critical risks caused by configuration drift."
Router settings often have mistakes
Organisations may be reluctant to fiddle with network misconfigurations.
"It is very easy to 'break' working web apps and functioning services when changing network configuration for threat remediation," explains Michael Assraf, CEO and co-founder of Vicarius, a vulnerability remediation company.
“Network equipment usually runs old and lean versions of Linux, which doesn’t receive general kernel updates unless the hardware vendor releases an upgrade. Taking a snapshot and recovering from a bad configuration is also done manually and require specific expertise."
Antiquated network architectures that depend on firewalls to protect network devices from compromise can also contribute to the risks they present to organisations. "There are many things admins can do with router settings by mistake that might accidentally bypass your firewall," says Corey Nachreiner, CSO of WatchGuard Technologies.
"I have seen admins use a router’s multiple interfaces to inadvertently connect a second interface directly into their network, going around the firewall in the process."
"Some switches also have alternate remote management channels that might fall outside your firewall and gateway router," Nachreiner continues, "so it’s also important to make sure those features aren’t misconfigured and exposing your internal network switches to the world as a result."
Switches and routers often overlooked
The report also found that routers and switches are largely overlooked. Most organisations (96 per cent) prioritise the configuration and auditing of firewalls, but only four per cent assess switches and routers, as well as firewalls.
"Commercial routers and networking equipment have strong security protocols, which are heavily advertised," says Ray Steen, CSO of MainSpring, a provider of IT managed services. "Network administrators trust this security, but a powerful security protocol in a product containing vulnerable code is like a three-inch steel door protecting a cardboard box. Cyber actors just break the box."
"I think that people give more attention to personal computing and servers because it is easy to protect them," adds Carmit Yadin, founder and CEO of DeviceTotal, maker of a risk management platform for un-agentable devices.
"They are intuitive, while IoT and network devices are black boxes that customers purchase and plug into the network. There are no client or agent to be installed so they're less intuitive."