A recent survey by a networking integrator found most devices had known vulnerabilities, which one analyst blames on complacency.
Dimension Data Holdings plc of Johannesburg, South Africa recently published a report, titled Network Barometer, based on assessments of 152 clients worldwide. Overall, the company found 73 per cent of networking devices were running with known security vulnerabilities.
Download the report
Dimension Data, whose services include network assessments, resells equipment made by San Jose, Calif.-based Cisco Systems Inc. The vulnerabilities discovered were software vulnerabilities identified by Cisco’s product security incident response team, according to the report.
Most of Dimension Data’s clients were in the enterprise class, with more than 2,500 users.
In its customer assessments, Dimension Data found many devices were not configured in accordance with “best practices,” such as passwords, said Darryl Wilson, area practice director for Dimension Data Canada.
More in ComputerWorld Canada
The enterprises surveyed had an average of 31 “configuration issues” per device, using standards set by Cisco, the U.S. National Security Agency and the Payment Card Industry Data Security Standard (PCI DSS).
“I might be tempted to think that might be a touch on the low side,” said James Quin, senior research analyst at the Info-Tech Research Group of London, Ont. “Networking equipment tends to be pretty set and forget for most organizations, particularly when it comes to switches and routers, because once you’ve built the network, it tends to stay relatively the same,” Quin said. “You’re not changing things on a regular basis.”
Quin added Info-Tech does not have similar data but he “wholeheartedly” agrees companies have configuration issues with their networking equipment. As for Dimension Data’s finding that 73 per cent have known vulnerabilities, Quin said that “sounds a touch high” but he agrees there is a problem due to a larger focus on operating system vulnerabilities.
The Dimension Data survey found that 71 per cent of enterprises had at least one vulnerability identified by the Cisco PSIRT, but nearly 100 per cent of small firms (defined as those with fewer than 100 users) had at least one known vulnerability.
Results also varied by industry. While 61 per cent of service providers and telecommunications firms had known security vulnerabilities, the figure was 92 per cent for automotive and manufacturing and 65 per cent for financial services.