The impact of exploitable misconfigurations on network security

Network professionals are confident in their security and compliance practices, but data suggests they are also leaving their organizations exposed to risk, costing a lot of revenue, according to Titania.

Additionally, some organizations do not effectively minimize their attack surface. Organizations prioritize firewall security and report a quick turnaround time to respond to misconfigurations when detected during annual audits. However, switches and routers are only included in 4% of audits and these devices play a critical role in reducing an organization’s attack surface and preventing lateral movement in the network.

Respondents also indicated that financial resources allocated to network configuration mitigation, which currently represent approximately 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in managing bad configuration.

Specifically, the study, which surveyed 160 senior cybersecurity decision makers in the U.S. military, federal government, oil and gas, telecommunications, and financial services sectors, found:

Misconfigurations cost organizations millions

Organizations said misconfigurations cost an average of 9% of their annual revenue, but the actual cost is likely to be higher. The good news is that a third find less than 50 a year, but the majority only audit their devices once a year. This means that misconfigurations, including those that could pose a critical security risk, could reside on the network for months or even years between audits, leaving the business vulnerable to attack. And although budgets increase every year, this has little to no impact on the volume of critical misconfigurations detected on networks.

Compliance is a top priority

75% of organizations across all industries said their business relies on compliance to ensure security. Almost all organizations reported meeting their security and compliance requirements. This, however, is at odds with a number of other survey findings and other reports that show a decline in the number of organizations maintaining full compliance with regulated data security standards. For example, a recent Verizon report showed that only 27.9% of global organizations maintained full compliance with PCI DSS in 2019; down for the third consecutive year.

Prioritizing remediation is a challenge

75% said their network security tools allow them to categorize and prioritize compliance risks “very effectively.” However, 70% report difficulty prioritizing remediation based on risk and also say imprecise automation is the biggest challenge in meeting security and compliance requirements.

Routers and switches are mostly overlooked

96% of organizations prioritize configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks. Only 4% rate switches and routers as well as firewalls, which according to Zero Trust best practices are critical to preventing lateral movement on networks.

“What’s clear from this research is that misconfiguration risks impact the bottom line. Experienced network professionals prioritize compliance and feel confident about network security, but delivering it at scale and continuously is a major challenge,” said Phil Lewis, CEO of Titania.

“80% of network traffic is inside the perimeter and security best practices are evolving to reflect that protecting the perimeter of every segment of the network is important, but verifying device security is equally important. perimeter to mitigate insider threats from software, people, and traffic,” Lewis continued. “If organizations are to effectively minimize their attack surface, they must increase the cadence of risk assessments and remediation. of all network devices. This is in line with one of the fundamental tenets of zero-trust security best practice, which is to verify, rather than believe devices are secure, every day. To truly minimize their risk and Adhering to increasingly stringent compliance standards, adopting a zero-trust mindset will help companies develop a be more robust network security.