As much as we rely on firewalls to protect enterprise assets, information security is not just about creating that impenetrable outer shell. its also about looking at all of your IT risks across the board. From internal systems, out to the cloud, and everything in between, there’s a myriad of security risks that you have to consider beyond what your traditional firewall is doing at the perimeter and in between network segments.
In my work as a security consultant, here are the top 9 things risks, all unrelated to firewalls, that I regularly see:
- Web and mobile app flaws , especially when the communications channel is encrypted with TLS
- Missing patches – especially third-party software patches that facilitate both well-known and zero-day attacks
- Poor malware protection combined with little to no network visibility
- Users haphazardly clicking links they shouldn’t and, furthermore, providing sensitive information such as network login credentials
- Unprotected mobile devices housing – and exposing – sensitive information in emails, apps, and poorly-configured mobile operating systems
- Weak passwords throughout the network that either fall through the cracks of policy enforcement (i.e. outside of the Windows domain policy) or that are known to be weak but aren’t changed because executives don’t want to hear user complaints
- Improper authentication systems, i.e. no two-factor authentication, missing from critical business applications and management systems that can be easily cracked or bypassed altogether
- Misconfigured network shares housing sensitive information that provide unfettered access to all network users
- Physical security control system flaws that provide network users access to security cameras and badge access systems
Certainly firewalls can help prevent the outcomes when these vulnerabilities are exploited, i.e. denial of service attacks brought about by malware infections and missing patches, high bandwidth usage related to SQL injection database dumps and the like, but that’s on the reactive side of security and that’s not where you want to be.
Step back and take a look at your overall network environment. While there are likely going to be literally thousands of potential risks, it won’t take long to uncover the big ones that impact your business the most. Every organization will have different set of issues and will have to deal with (or accept) them on their own terms. Risk tolerance is everything, but make sure you have good information to base your security decisions on.
Security risks are everywhere. How do you handle them beyond your traditional firewall controls? Odds are you’re not as prepared as you think you are.