5 Network Security Threats And How To Protect Yourself
Cybersecurity today matters so much because of everyone’s dependence on technology, from collaboration, communication and collecting data to e-commerce and entertainment. Every organisation that needs to deliver services to their customers and employees must protect their IT ‘network’ - all the apps and connected devices from laptops and desktops to servers and smartphones.
While traditionally these would all live on one "corporate network" - networks today are often just made up of the devices themselves, and how they’re connected: across the internet, sometimes via VPNs, to the homes and cafes people work from, to the cloud and data centres where services live. So what threats does this modern network face?
Cybersecurity threats, or network security threats?
Many technical terms are used interchangeably. Some people say cybersecurity when they mean network security, and vice versa. Cybersecurity is the overall umbrella term. It involves securing everything in the network, from your endpoint devices to your data and the cables (or airwaves) and devices that connect them.
Network security historically focused on the actual network itself, which supported the various systems and applications. But when an attacker targets a network, what they’re really trying to access are its apps and data to disrupt business or steal valuable information.
Beyond the perimeter
This development of the 'network' concept has made traditional network security thinking obsolete. The perimeter is no longer just around the traditional on-premises network. It now extends to the SaaS applications used for business-critical workloads to the home office networks employees use to access corporate resources remotely. Data is now spread across a vast number of services, devices, applications and people.
This modern "network" is now commonly called your attack surface, and as it’s so much larger and more dispersed, it’s constantly under threat and hard to protect. As a result, network security has evolved into a ‘zero trust’ approach. This assumes there’s no perimeter, and therefore no such thing as a ‘threat-free’ environment, requiring all users, wherever they access from, to be authenticated and authorised before they can access applications and data.
But even with a zero trust approach, your network remains vulnerable to attack and it’s important to understand what and where your security threats are, so let’s look at them in more detail.
According to recent research by Verizon, misconfiguration errors and misuse now make up 14% of breaches. Misconfiguration errors occur when configuring a system or application so that it’s less secure. This can happen when you change a setting without fully understanding the consequences, or when an incorrect value is entered. Either can create a serious vulnerability - for example, a misconfigured firewall can allow unauthorised access to an internal network, or a wrongly configured web server could leak sensitive information.
#2 Outdated software
Software and app developers constantly release updates with patches to cover vulnerabilities that have been discovered in their code. Applying patches to fix these vulnerabilities across an organisation’s entire network of devices can be time-consuming and complex to implement - but it is essential. If you don’t update your software, firmware and operating systems to the latest versions as they’re released, you’re leaving your network exposed. A vulnerability scanner will give you a real-time inventory of all the software which needs updating, as well as detect misconfigurations that reduce your security, so you can stay as secure as possible.
#3 DoS attack
The previous two threats are usually exploited to breach networks and steal information, but a Denial-of-Service (DoS) attack is meant to shut down your network and make it inaccessible.
This can be done by many means, either with malware, or by flooding the target network with traffic, or sending information that triggers a crash such as requesting overly complex queries that lock up a database. In each case, the DoS attack prevents customers or employees from using the service or resources they expect.
DoS attacks often target websites of high-profile organisations such as banks, media companies and governments. Though DoS attacks don’t usually result in the theft or loss of data, they can cost you a great deal of time and money to handle. A properly configured content delivery network (CDN) can help protect websites against DoS attacks and other common malicious attacks.
#4 Application bugs
A software bug is an error, flaw or fault in an application or system that causes it to produce an incorrect or unexpected result. Bugs exist in every piece of code for all sorts of reasons, from improper testing or messy code to a lack of communication or inadequate specifications documents.
Not all bugs are cyber security issues or vulnerable to exploitation where an attacker can use the fault to access the network and run code remotely. However, some bugs like SQL injection can be very serious, and allow the attackers to compromise your site or steal data. Not only do SQL injections leave sensitive data exposed, but they can also enable remote access and control of affected systems. This is just one example of a type of application bug, but there are many others.
Injections are common if developers haven’t had sufficient security training, or where mistakes are made and not code reviewed – or when combined with inadequate continuous security testing. However, even when all these things are done - mistakes can still happen, which is why it's still ranked as the #1 threat in the OWASP Top Ten Web Application Security Risks. Fortunately, many types of injection vulnerabilities (and other application level security bugs) can be detected with an authenticated web vulnerability scanner, and penetration testing for more sensitive applications.
#5 Attack surface management
Can you secure your business if you don’t know what internet-facing assets you own? Not effectively. Without a complete and updated inventory of internet-facing assets, you don’t know what services are available and how attackers can attempt to get in. But keeping on top of them and ensuring that they're being monitored for weaknesses isn't exactly a walk in the park as IT estates grow and evolve almost daily.
When companies try to document their systems, they often rely on manually updating a simple spreadsheet, but between configuration changes, new technologies, and shadow IT, they rarely know exactly what assets they own or where. But discovering, tracking, and protecting all these assets is a critical component of strong security for every business.
A vulnerability scanner is a dynamic, automated tool that can keep track of what’s exposed to the internet, and restrict anything that doesn't need to be there - like that old Windows 2003 box everyone’s forgotten about, or a web server that a developer spun up for a quick test before leaving the business…
It can also keep a constant watch over your cloud accounts and automatically add any new external IP addresses or hostnames as targets. And it can help with ‘asset discovery’ when companies need help finding their IP addresses and domains that they don’t even know about.
What does this mean for you?
Attackers use automated tools to identify and exploit vulnerabilities and access unsecured systems, networks or data - however big or small your organisation. Finding and exploiting vulnerabilities with automated tools is simple: the attacks listed above are cheap, easy to perform and often indiscriminate, so every organisation is at risk. All it takes is one vulnerability for an attacker to access your network.
Knowing where your vulnerabilities and weak points are is the first and most important step. If you spot your vulnerabilities early, you can address them before an attacker can exploit them. A vulnerability scanner is a cloud-based service that identifies security vulnerabilities in computer systems, networks and software. Vulnerability scanners provide a continuous service that searches for network threats and vulnerabilities - everything from weak passwords to configuration mistakes or unpatched software - so you can address them before attackers exploit them.
Vulnerability management made easy
Intruder’s network vulnerability scanner is powered by industry-leading scanning engines used by banks and governments across the world. It’s capable of finding over 11,000+ vulnerabilities and focuses on what matters, saving time with contextually-prioritised results. Our noise reduction only reports actionable issues that have a genuine impact on your security.
By scanning both your internal and external attack surface, we monitor your publicly and privately accessible servers, cloud systems, websites and endpoint devices. Fewer targets for hackers mean fewer vulnerabilities for you to worry about.
Organisations around the world trust Intruder’s vulnerability scanner to protect their networks with continuous security monitoring and comprehensive scanning.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.