CISOs concerned about network security would be well advised to start with the routers they and their employees use to get online, based on the results of a new device audit that found 5 out of every 6 routers are inadequately updated to address potentially critical security vulnerabilities.
The American Consumer Institute Center for Citizen Research conducted an audit of 186 Wi-Fi routers from 14 different manufacturers, using Insignary’s Clarity application to scan the embedded firmware for unpatched security vulnerabilities.
Fully 83 percent of examined routers were found to have known vulnerabilities in their code, with an average of 186 vulnerabilities per router.
Based on National Vulnerability Database rankings, 60 percent of identified vulnerabilities were rated as being of medium severity, with 21 percent high-severity bugs and 7 percent assessed as being of critical severity.
Echoing regularly-identified issues with apps for Google’s Android operating system, the report warned that vendors’ frequent usage of open-source code had left many routers exposed.
This was due to the frequency with which new vulnerabilities were being discovered; vendors’ often-slow response in patching them; and users’ generally poor discipline around applying available patches.
This last point had left routers particularly exposed because generally-poor updating techniques had left security updates entirely dependent on actions by users that “rarely think about installing updates on their devices or are not even aware of potential security vulnerabilities”, the report noted.
Bringing the threat home
Poor or non-existent patching habits had left routers exposed to clever malware such as VPNFilter – which, Cisco researchers recently revealed, contains a number of new techniques for infecting computers behind the devices.
With routers serving as the central point for connectivity to increasingly connected homes and offices – and, collectively, smart cities – such deficient practices are rapidly expanding the threat surface for the average enterprise.
Symantec’s latest Internet Security Threat Report, for one, noted that routers are the most frequently-exploited device in Internet of Things (IoT) attacks, comprising 33.6 percent of attacks, and warned that “individuals and organizations would be wise to avoid any network that does not accurately and securely perform the connection services originally requested by the user and the device.”
Such avoidance is easy in theory but becomes difficult in practice – and this divide may help explain why so many CISOs still don’t think their cybersecurity strategies are providing the protection that they’re supposed to.
Fully 48 percent of respondents to a recent Ericom Software survey, for example, named ‘improving endpoint security’ as their top security goal and 29 percent said they were focused on becoming compliant with mandatory regulations.
Both of these goals become harder when persistent vulnerabilities continue to challenge assertions of good security governance. Indeed, while 90 percent of respondents to the Ericom survey said they have an active cybersecurity strategy in place, almost half were less than ‘very confident’ that their security strategy was enough to block Internet-borne threats.
IoT devices’ poor security postures haven’t helped, with the US NIST recently offering 17 reasons why it still can’t trust or certify IoT devices. This leaves CISOs and home users largely on their own in managing the exposures that their inconsistently-secure network equipment presents to enterprise environments.