In this post we look at the gap between network security best practices and the “rubber-hits-the-road” reality across a sample of the UK FTSE 100 companies – spoiler alert: some of the results may scare you…
Network security: 4 well-known facts
- Security is a process, not a technology,
- Creating an effective security policy with relevant blueprints and guidelines matters,
- There is a gap between what we know should be done and what is actually done,
- Security is only as strong as the weakest link. Hint: Sometimes, that weakest link is not located on your network but on one of your suppliers.
Achilles’ Heels revealed:
How can you assess the real security of your supplier – not just based on what they say they do but on what they actually do?
At Sytel, we have solved one part of the puzzle. We have developed a tool called Reve@l:Verify that can make a high level assessment of your network or even the networks of your suppliers within minutes, in a fully automated and simple way.
How does Reve@al:Verify work ?
Our Reve@l:Verify tool collects OSINT information (Open Source Intelligence) about the hosts in a particular DNS domain and identifies any vulnerabilities that these hosts may pose. If the DNS domain is that of your supplier then you can be armed with useful information to understand if they have a gap between how they say they do security and what actually happens. Using OSINT means that we don’t need to send probe traffic to the network, there’s no worry from a legal perspective because of this method of collecting information.
Revelations about the IT security of FTSE Top 100 companies
We ran our tool against DNS domains of the FTSE Top 100 companies and found a few surprises!
Visit our stand and take a guess on the following:
- How many companies have network devices configured such that an attacker can extract information about your internal network and possibly even modify your device configuration?
- How many companies are exposing applications that an attacker could exploit to extract internal user names and launch a social engineering attack against you?
- How many companies are exposing applications that don’t encrypt usernames/passwords and so could be exploited by an attacker to capture your employee’s login credentials?
- How many companies are exposing database applications that could be exploited by an attacker to read/modify/delete your data (and besides, it’s a sure fire PCI audit fail!)
- How many companies are exposing their Cisco router logins allowing an attacker to gain access to your underlying router network?
Reveal It to fix It
As you may expect, there is still lots of work to do to bridge the gap between network security best practices and actual real world implementation. Forget worrying about the latest zero day – every company needs to know about weaknesses publicly identifiable to fix the basics.
What about your company? Would you like to know how secure it is?
Visit the Sytel Reply stand and we will reveal you how your network security stacks up by running your Internet domain into the Reve@l:Verify tool. You will get results back in minutes.
Who knows, you may come across a few surprises…
Written by Richard Crouch, Senior Consultant, Sytel Reply