Security assessments, such as penetration tests and vulnerability scans, often result in the identification of various types of vulnerabilities. While most organizations tend to remediate the medium- and high-risk vulnerabilities rather quickly, low-risk vulnerabilities are often pushed down on the priority list or designated as acceptable and forgotten about altogether. What many organizations may not realize is that low-risk vulnerabilities can lead to significant security breaches.
The following provides an overview of the most common low-risk vulnerabilities that organizations should not ignore in their remediation activities.
As the need to access devices remotely increases, so do “man-in-the-middle” attacks. Remote access protocols, like HTTP and Telnet, are still in use today but are insecure as they transmit network traffic in cleartext. The use of encrypted protocols, such as HTTPS and SSH, for remote access is the simplest way to protect against these types of attacks.
It is becoming easier for hackers to break data encryption. As a result, the National Institute of Standards and Technology (NIST) no longer allows key sizes smaller than 112 bits for symmetric cryptographic algorithms and 1024 bits for asymmetric. To ensure the latest guidelines are being met and the highest level of security is in place, organizations should perform a review of encryption levels used throughout their entire network on an annual basis.
Some organizations fail to change the default credentials that come with new devices and software. This could prove to be a costly oversight as hackers can easily access online databases that provide username and password combinations, detailing products down to the model and version number. Policies and procedures should require default passwords to be changed for any new hardware or software. If possible, default accounts should also be replaced with unique usernames.
Brute-force attacks against passwords are extremely common, so passwords should be able to withstand them. Organizations should have password policies that require multiple character sets (lowercase and uppercase letters, numbers and symbols) and enforce a minimum required length (eight or more characters is standard). It is also considered best practice to avoid using easily guessed words like seasons or pop culture references.
No Lockout Policy
Hackers can run password attacks against a login prompt with the help of automated tools, known usernames, and a password database. This allows them to try as many attempts as possible until they are granted access. Accounts that require login should be set to lockout after a certain number of invalid attempts. Ideally, when this occurs, an account should be permanently locked until an administrator resets it. If this is not a viable option, a time limit can be set which ensures the account remains locked for a certain period of time (12 hours for example).
A common but flawed opinion is that internal systems are safe from attack and do not need security layers such as encryption and passwords. In the event external security layers fail, hackers would have full access to an unsecured internal network and could inflict significant damage. Internal security controls like authentication requirements to access confidential information and data should be implemented as they provide an extra layer of security.
Sometimes organizations disregard certain devices such as printers and music players when considering security risk. These devices can actually provide a gateway to more critical systems on a network. Organizations should be sure to include such devices in their vulnerability management process.
Given the right circumstances, a successful exploit of common, low-risk vulnerabilities can produce disastrous results. To help identify these threats and prevent dangerous security breaches, a comprehensive review of the security settings associated with an organization’s assets should be performed. Regular vulnerability scanning, coupled with annual penetration testing, can ensure organizations have a complete picture of the threats facing their network, including low-risk vulnerabilities.