Skip to content

Blogs

  • Home
  • About
  • News
  • CVE and Beyond: Security Implications in Device Configuration

CVE and Beyond: Security Implications in Device Configuration

By | Date published:

According to the latest Verizon Data Breach Investigations report there has been a ‘180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach’, so it’s not surprising that keeping on top of vulnerabilities is of critical importance. Organizations are focused on both identifying and remediating them. Common Vulnerabilities and Exposures (CVEs) offer a valuable resource for identifying them and highlighting which specific vulnerabilities might affect a particular device. Not doing so can leave an organization open to attack, with all the financial and reputational penalties that might ensue.

But while this helps in identifying vulnerabilities, it doesn’t help with misconfigurations, which can’t be patched away. An error in a configuration can leave a device just as vulnerable as unpatched software and with inherent security issues that will persist no matter how many times the device is patched.

Misconfigurations

Misconfigurations can be created accidentally or as a result of malicious action. Devices such as routers, switches and firewalls that are not configured correctly can leave the network exposed and vulnerable to an attack. And recognizing when configurations have changed can be a useful indicator of compromise (IOC) if the changes were not authorized.

The recent discussions around the Volt Typhoon attacks have only highlighted the importance of networking device security. With attackers focused on routers, ‘living off the land’ by escalating privileges and proliferating across networks, checking device configurations becomes of increased importance. Attacks like these could result in changes to the configurations of devices that may not be picked up in a vulnerability scan. And with some exploits needing both a vulnerability and a misconfiguration to be executed, promptly fixing configuration errors along with addressing the CVE can stop threats to the network before they become attacks. By configuring devices in a secure manner, it could greatly limit a CVE, if not make it redundant altogether.

Continuous Monitoring

A key method of hardening a network’s defenses and detecting potential indicators of compromise is to continuously monitor routers, switches and firewalls for both misconfigurations and to address CVEs.

Demand for risk-based vulnerability management automation is higher than ever following an exponential rise in threats to organizations’ networks in recent years. Facing potentially thousands of vulnerabilities across networks, organizations are seeking accurate insights to determine their levels of exposure, and which risks to remediate first, to minimize their attack surfaces and protect their critical networks from real-world threats.

This can be achieved with Nipper Enterprise, which can detect configuration drift, so you can gain immediate awareness of any device configuration changes, alerting to unplanned changes (indicators of compromise) - because devices that were deemed secure yesterday, might not be today. It also provides assurance that any planned network changes have not created new vulnerabilities.

Nipper Enterprise

Nipper Enterprise provides visibility of segment-by-segment critical IOCs and attack surface posture. Network defenders and threat hunters can search Nipper Enterprise’s findings according to the specific tactics, techniques and procedures (TTPs) that a known advanced persistent threat (APT) is likely to have utilized to gain access and proliferate their attack. This helps these teams to determine the available and likely avenues that an attacker would take and how they might prioritize different paths over another, expediting efforts to track down and clear the adversary from the network before they gain access to sensitive information.

Nipper Enterprise’s findings data can be easily exported and shared with network owners and defenders, who can use the results to define and prioritize their remediation and mitigation efforts to deter, disrupt, and defeat APT activities based on risk exposure. Where possible, Nipper Enterprise’s findings include device-specific remediation advice, which expedites network hardening efforts and ensure continuous compliance with military and industry regulations.

Take for example, a best practice security audit or a DISA STIG assessment of routers, switches and firewalls, with Nipper Enterprise. It can highlight where devices are configured in an insecure method, such as if a specific device had Clear Text Web Administration (HTTP) enabled, which is deemed as a failure, and the report provides information on how best to remediate as shown below.

NE_ScreenGrab

But this is just showing the results for one device, and Nipper Enterprise can assess hundreds of devices, and show this through a MITRE ATT&CK dashboard, where the misconfigurations and vulnerabilities can be mapped against TTPs and color-coded according the severity of the issue. This allows network owners to see the risks to their network through an attacker’s lens. Then you can drill down on a specific TTP to see which segments and devices are susceptible to it. This enables risk-based prioritization of misconfiguration mitigation efforts based on vulnerability to specific types of attack.

NE_MITRE

Network owners can use Nipper Enterprise to increase the coverage and cadence of assessments and gain immediate awareness of any device configuration changes, evidence continuous compliance with military and industry regulations, and minimize their attack surface via MITRE ATT&CK® misconfiguration prioritization.

To learn more visit the Nipper Enterprise page

Related Media

Compliance Certifications