Over 73 percent of corporate network
devices analysed by Dimension Data during 2010 were carrying at least one known
security vulnerability.
This is almost double the 38 percent
recorded in 2009. The data also revealed that a single higher risk
vulnerability – PSIRT 109444 – which was identified by Cisco in September 2009,
was found in a staggering 66 percent of all devices, and was responsible for
this jump. If PSIRT 109444 was taken out of the equation, the next four
vulnerabilities were found in less than 20 percent of all devices; suggesting
that organisations are trying to improve in terms of remediation.
These are some of the key findings
in the Network Barometer Report 2011 published today by the global specialist
IT services and solutions provider. The Report covers aggregate data compiled
from 270 Technology Lifecycle Management (TLM) Assessments conducted in
2010 worldwide by the Group for organisations of all sizes across all industry
sectors. It reviews the networks’ readiness to support business by evaluating
the configuration variance from best practices, potential security
vulnerabilities, and end-of-life status of those network devices, according to
the Dimension Datareport.
Despite the pressure from
regulatory bodies, consumers and their executives to protect customer
information and privacy, as well as sensitive business information from both
cyber criminals and competitors, many organisations still do not have
consistent and complete visibility of their technology estates,” said Matthew
Gyde, general manager for Network Integration, Dimension Data Asia Pacific.
In fact, previous research not
related to the Network Barometer Report carried out by Dimension Data found
that clients are unaware of as much as 25% of their networking devices,” Gyde
added.
The prevalence of PSIRT 109444
illustrates that a pervasive threat can occur literally overnight. It only
takes one vulnerability to expose the entire organisation to a security breach,
so organisations must do much more to protect themselves. This includes
increasing the number of regular network scans to ensure that any vulnerability
is picked up before it causes serious business continuity, compliance failure,
or reputational damage.
On
the other hand, the total percentage of network devices which have passed
last-day-of-support (LDoS) has dropped from 31 percent in 2009 to 9 percent in
2010. However, the total amount of technology late in the obsolescence phase
remains high, with the percentage of devices in late stage end-of-life sitting
at a substantial 47 percent.
It
is not definite that the drop in the percentage of devices beyond LDoS means
that organisations are choosing to push certain assets past a certain lifecycle
stage. However, the results certainly suggest that clients are more aware of
their network assets and are refreshing those devices where risk is greatest.
The assertion that older devices are at higher risk of security breaches is
acknowledged by standards and compliance bodies.
If
organisations detect a critical asset past end-of-software maintenance, they’re
not likely to have access to the latest vendor-supplied security patches.
Failure to apply patches would be a direct violation of many compliance
standards, including the Payment Card Industry Data Security Standard (PCI
DSS). Then the door is open to security breaches, litigation, punitive damages
and even reputational loss.
Organisations
need to know where the assets are, what they do, and what the implications are
when any one of them breaks and becomes unsupportable. In order to achieve
this, visibility into the lifecycle status of their assets is critical, so that
their age and viability can be properly assessed.
By
TelecomLead.com Team
