According to a study by the security firm Qualys, desktop applications like iTunes, Firefox, PowerPoint and, surprisingly, antivirus programs account for more than 60% of critical vulnerabilities. And attackers are focusing on new network targets as well.
VoIP servers and phones, IM servers, and even printers and faxes are now consider weak points that may provide access to an otherwise hardened network. Added to that, user-introduced errors and network misconfigurations can undermine even the best security plans.
According to Moses Hernandez, a network engineer for Mercy, in the past the task of studying the network was done infrequently. We used scanning to get a feel for the network and know what was on it, Hernandez said. We simply needed to get an idea of what was out there.
Soft on the Inside
However, after scanning for inventory and topology, Mercy realized it had to keep scanning on an ongoing basis. Networks can change dramatically over time, and new vulnerabilities are discovered in operating systems and applications on an almost daily basis. Vulnerability assessments have become so important that we scan every week or even every day, Hernandez said.
In other words, simply hardening your network against outside intruders is no longer an effective strategy. Increasingly, with guest access and partner applications and distributed networks, its more and more difficult to define what inside-the-network even means.
According to Ross Brown, CEO of vulnerability management vendor eEye Digital Security, in the past the term vulnerability had a specific meaning, referring to flaws in systems or software. These could be fixed via patches. Today, the term vulnerability has a broader meaning, encompassing not just software flaws but also user-introduced vulnerabilities, network misconfigurations, and even interoperability problems. The new generation of vulnerability management tools even discovers instances where users are putting the organization at risk by not following corporate policies.
A recent survey by Computer Security Institute (CSI) and the FBI found that nearly 52% of participants were hit by security breaches, many from outside of the organization. However, 68% said that a significant portion of those breaches came from within the network.