When we talk about vulnerability assessments, we most like think of operating systems, applications, laptops, workstations and servers, yet network devices are often overlooked. And that could become a problem. That is why it’s important to have a tool which scans your network and does a full vulnerability assessment of all your software and hardware.
Let’s take the Heartbleed vulnerability as an example. As with every other major vulnerability, I am sure most sys admins knew about it within days. Taking too long to become aware of an issue is a problem and increases the level of risk that an undiscovered vulnerability poses for a network infrastructure. A sys admin team cannot afford to wait for ‘days’ to do something about it.
There is no doubt that without automated tools an admin can still effectively tackle issues like Heartbleed. You can identify which services use open SSL and address them individually. You can disable/patch the web server, VPN, mail server, and so on. The question though to ask, after you have addressed all these services individually: who will look around and think of the routers, the NASes and other network equipment that also make use of SSL and are, therefore, maybe vulnerable to that same vulnerability?
Tackling network security is an unfair business because security professionals need to think of and address everything. Attackers only need to find one thing that we overlooked and they have won. Just think about it. Wouldn’t all the effort you put into securing servers and services be completely useless if just one vulnerable Internet-facing printer is left active? Imagine what an attacker exploiting a vulnerability such as Heartbleed on a simple printer could do. The documents users print are stored in the printer’s memory, not to mention authentication credentials which are probably the same credentials used to access other network resources like file shares. At the end of the day, the network printer is just as valuable a target as the web server to any attacker seeking to steal information (or more).
This is where and why technology can make your life easier. With a network scanner such as GFI LanGuard, you and your team don’t need to think of everything as soon as a vulnerability is made public. With a network scanner you’d be alerted that the printer, for example, can be exploited. Even if a firmware update is not yet available, once you’re aware of the issue you can do something about it.
Do bear in mind that in most cases devices are just little computers in tiny packages designed to do a specific job. They can run the same operating system, the same software and the same services your workstations and servers might be running. They’re trimmed to be as lightweight as possible, but at the end of the day it’s still the same code. If a vulnerability affects a service on a workstation and that service is used in a device, then that device is vulnerable just as much as your other machines are.