sss78 - Fotolia

Manage Learn to apply best practices and optimize your operations.

Adding the age of networking devices into a security risk assessment

Recent data shows that more than 50% of all networking devices are aging or obsolete and pose a security risk to the enterprise. Expert Kevin Beaver discusses how to factor device age into a security risk assessment.

According to a recent Dimension Data survey, more than half of all networking devices are either aging or already obsolete, meaning they pose a security risk. How should our organization factor age of a device (and the level of support provided by the vendor) into evaluating whether it's secure?

Interesting findings by Dimension Data indeed -- they're not all that different from the fact that the now unsupported Windows XP still exists in enterprises -- and in large numbers.

I think what we're seeing here is the maturation of networks and IT in general, and the stagnation of solutions for doing something about the associated security flaws. It underscores the two long-time challenges of information security:

1. Lack of a risk-based approach

2. Not enough support and budget from management to get systems to where they need to be

Some may view these network device flaws as a mere bump in the road when looking at the big picture, and that may be true. But only you'll know given your specific situation. Those bumps in road can not only throw your security out of alignment, but also upset your program's balance so much that you end up in a ditch. Think Heartbleed, denial-of-service attacks and the like -- when network systems are left unsecured, something will happen eventually. It might not be a direct information loss, but it could take your network down.

The important thing to factor into a security risk assessment is not only the age of a device but also the general level of risk it poses to the network and the business as a whole. This includes known and easily-exploitable vulnerabilities, whether or not the manufacturer is still providing updates, and whether or not your maintenance agreement has run out. Everything is fair game for attack, including boring old routers, switches and seemingly resilient firewalls. That said, just because a system is old or because a thousand stars have to align in order for an attacker to exploit a flaw for ill-gotten gains doesn't mean it has to be replaced.

There's also the issue of now outdated physical security systems on many enterprise networks waiting to be exploited. Find out where things stand with security and then take the proper steps to implement compensating controls, otherwise you're going to have to live with the associated risks. That may be OK; just make sure management is making the final decision.

Ask the Expert!
Perplexed about network security? Send Kevin Beaver your questions today! (All questions are anonymous.)

Next Steps

Learn more about security risk assessments and navigating the security risk assessment process.

This was last published in September 2014

Dig Deeper on Risk assessments, metrics and frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How does your organization factor device age into its security risk assessment?