Top 10 Network Vulnerabilities

This report lists top 10 common vulnerabilities found from the analysis of the data collected. Recommendations are also made to help enterprises apply proper remediation and common security practices to achieve regulatory compliance.

From the results, argument would exist whether Microsoft products are more vulnerable than other vendors’. It may be true in part because hackers usually invest their resources on software that are commonly deployed. In our survey, the occurrence of certain Microsoft vulnerability is comparatively higher as Microsoft products has been quite extensively employed in Hong Kong. Therefore our results cannot be an indication that Microsoft is more vulnerable, instead, it reflects Microsoft popularity in Hong Kong.

Threats and Impacts

HiTRUST consultants have responded to numerous assessments and even incidents. Majority is related to the above vulnerabilities, which is caused mainly by the improper application of SSL protocol and the default server configurations set by vendors. Threats and impacts posed could be serious to companies’ network security and reputation, as follow: 

	Disclosure of sensitive communication - Messages encrypted with low encryption cipher are easy to decrypt. Flaws in the SSL v2 protocol allows man-in-the-middle attack to force the communication to a less secure level and then attempt to break the weak encryption. Even worse, some companies allow server authentication credentials to be transmitted in plaintext over the network without performing any encryption.
	Brute Force Attacks – Enabling NTLM authentication on the Microsoft IIS Web Server by default allows a remote user to perform account brute force by requesting a non-existing HTTP resource and an existing HTTP resource that does not actually require authentication.
	Exposure of Internal IP address or Internal Network Name – Vulnerability exists in default installation of IIS, which discloses companies’ internal IP address or internal network name. Successful exploitation of this vulnerability could assist in further attacks against the target host.
	Disclosure of Authentication Method – When a valid authentication request is submitted with an invalid username and password, an error message is returned. Authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages. This information can then be used in further intelligent attacks against the server, or in a brute force password attack against a known user name.
	Denial of Service on Web Server – On TCP based services of target host, some implementation may allow attackers to make a successful approximation of an acceptable TCP sequence number. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. Other consequences may also results, such as man-in-the-middle attacks.
	Cross-Site Tracing – If this vulnerability is successfully exploited, users of the Web server may lose their authentication credentials for the server and/or for the Web applications hosted by the server to an attackers. This may be the case even if the Web applications are not vulnerable to cross site scripting attacks due to input validation errors.
	Compromise of Confidential Information – HTTP and the WebDAV extension allow file information to be retrieved remotely from the Web Server. If there is no restricted access, anyone can retrieve information (like directory listings) from the Web Server. Besides, cipher forcing bug may also result in disclosure of sensitive information
	Exposure of Internal System Clock for Attacks – Unauthorized users can obtain information about your network by sending ICMP timestamps packet. For example, internal system clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers).

Next: Common Unprofessional Practice in Hong Kong >>