With hundreds of thousands of cybersecurity vulnerabilities already published and new ones being discovered every day, identifying and remediating the vulnerabilities that exist in their network is a major challenge to organizations. Failure to do so can lead to vulnerabilities being exploited and may result in financial losses, reputation damage and erosion of customer trust.
But with more and more vulnerabilities being discovered, keeping on top of these can be a challenge. Common Vulnerabilities and Exposures (CVEs) offer a valuable resource for identifying them and highlighting which specific vulnerabilities might affect a particular device. Using risk-based vulnerability management to identify those CVEs that pose the most threat to the operational integrity of the network and which ones are being actively exploited (e.g., CISA KEVs) can support in determining the priorities for remediation so that the vulnerabilities that pose the greatest threat can be fixed first.
However, it is important to note that while the CVE framework is invaluable, it may not capture the full spectrum of risks to a network, especially as it does not reveal those weaknesses posed by inadequately configured devices. A CVE can show where devices are vulnerable and need to be patched, but they don’t show where misconfigurations exist. This is an often-overlooked realm, where inherent security issues can be caused by poorly configured or misconfigured devices – whether created accidentally or as a result of malicious action.
And they can’t be patched.
Devices such as firewalls, switches and routers that are not configured correctly can leave doors open for potential breaches. These misconfigurations can be inadvertent or an indicator of compromise. The recent discussions around the Volt Typhoon attacks have shown that attackers are now living off the land – gaining access through network devices and using these to escalate their privileges and proliferate across a network enterprise. Attacks like these could result in changes to the configurations of devices, which would represent an indicator of comprise but one that might not trigger alerts in typical network security systems.
Assessing for changes to configurations and seeing if these were planned or unplanned (the latter highlighting a potential breach), and then proactively assessing the new configurations to see if this has introduced any new vulnerabilities, can lead to a more resilient network, inform incident response and help shut down threats. However, this needs to be done continuously to ensure that any misconfigurations or vulnerabilities are identified and addressed before they are discovered and exploited by bad actors.
Continuously monitoring routers, switches and firewalls, therefore, for configuration changes, in addition to addressing CVEs, is critical to hardening a network’s defences and detecting potential indicators of compromise. If devices are configured in a secure manner, it could greatly limit a CVE, and if not, it would make it redundant altogether. Some exploits require a vulnerability plus a poor configuration in order to be enacted, so ensuing any misconfigurations are addressed promptly can stop a CVE from becoming a risk to the network.
Accurate automation tools are needed to provide enterprise-wide visibility of any misconfigurations. Even better, these tools should not only identify these types of security risks but also inform organizations how to correct them, thus expediting the hardening of the device and ensuring that it is less susceptible to any future CVEs.
So, whilst it is important to stay on top of vulnerabilities once CVEs are published, continuously ensuring network infrastructure configurations are hardened is one of the best preemptive defensive steps an organization can take.