17.02.2015

Informzaschita: top-10 of vulnerabilities and weaknesses detected during information security audits performed in 2104

The company Informzaschita represented analytics regarding the results of over 40 projects in the field of comprehensive and technical audits of Information Security performed in 2014. The experts defined TOP-10 of the most common vulnerabilities and weaknesses detected in the companies from different business spheres: finances and telecommunication, transport organisations and oil and gas industry.

The results of performed audits demonstrated the flowing: 

The majority of detected vulnerability are connected with the access management process. In this manner, for example, the most common vulnerabilities are the absence or incorrect setting of password policy of various components of IT infrastructure or use of insecure remote access protocols. Despite awareness of Information Security specialists growing each year, the problems of absence of password policies and default passwords remain topical.

For example, until present it is possible to face with the use of TELNET protocol in terms of internal administration, which together with some incorrect settings of network equipment leading to “ARP Cache Poisoning” vulnerabilities, creates risks of disclosure of network administrators’ authentication data to internal attackers. 

Not always the information security tools are optimal and used only for the “sake of appearance”. Therefore, for example, the majority of companies did not set up the modern method of updating of signature threats and alerts in case of treats detection for the attack detection tools; firewall filter rules for the network traffic are set up incorrectly. 

Traditionally, insufficient attention is paid to the process of changes management of IT infrastructure, and often the performed changes are not documented at all. Also the evaluation of information security risks is not performed which makes it impossible to take informed decisions regarding reasonability of changes implementation as well as necessary measures for the Information Security related risks reduction. This approach often leads to the occurrence of vulnerabilities in information infrastructure as a result of changes as well as irrational waste of resources for the acquisition of security tools.

The list of the most common vulnerabilities ends with the absence of correct settings of audit policies of Information Security events. For example, the absence of a setting for the registration of events of some IT infrastructure components, absence of requirements to registered events logs storing as well as absence of a centralised server for registered events storing. 

The most common vulnerabilities and weaknesses:

  1. Password policies are not set up or they are set up incorrectly.
  2. Administration of network equipment with the help of insecure TELNET protocol.
  3. Events audit is not set up or it is set up incorrectly.
  4. Firewalls contain excessive rules.
  5. Incorrect performance of network segmentation, in particular, server segments are not separated from users’ segments.
  6. Update management process is not realised or it is realised incorrectly and as a result, for example, a company continues using obsolete software containing known vulnerabilities.
  7. Absence of security settings for access communicators, in particular, absence of security against vulnerability to «ARP Cache Poisoning» attacks.
  8. Absence of signature updating and alert settings for the attacks detection tool.
  9. Use of insecure protocols for the remote access with the help of VPN technology.
  10. Limitation of access rights to network files are set up incorrectly. 

Denis Khlapov, audit project architect: 

«As we can see, the majority of detected vulnerabilities relate to incorrect access management and weaknesses of network infrastructure security. At the same time the biggest part of detected vulnerabilities could be used by internal attackers when the external perimeter is secured pretty well. Nevertheless, the most common vulnerabilities are critical and they can cause sufficient damage for the companies’ business in case of their use by attackers. With no doubts, the companies have to pay more attention to the access, changes and updates management process. Also, it is necessary to periodically carry out the internal Information Security audits, analysis of perimeter security and risks evaluation”.

 Conclusion:

The above mentioned vulnerabilities may allow an outsider to increase his infrastructure privileges up to administration privileges. Such situation may lead to as compromise threat of critical data as normal operation failure of business processes. Taking into account that flaws of settings for the registration of information security events were detected in almost each performed audit, consequently, the investigation of possible outsider’s actions will be really hard.

At present the aspiration of many companies to reinforce the security of information infrastructure external perimeter is visible, at the same time the possibility of risks related to outsider’s actions is not always taken account. In terms of such approach aimed at information security ensuring, the concept of system security “defence in depth” is also not considered. An external attacker will most likely receive the access to critical data of internal company’s network when compromising any external resource (for example, web-server). The audits performed by us clearly demonstrate the company’s neglect regarding internal security for the sake of protection against external attacks. Such approach may be understood but, certainly, it is not a correct approach and it may lead to substantial losses in case of successful actions of both: external attackers and insiders.