sss78 - Fotolia
According to a recent Dimension Data survey, more than half of all networking devices are either aging or already obsolete, meaning they pose a security risk. How should our organization factor age of a device (and the level of support provided by the vendor) into evaluating whether it's secure?
Interesting findings by Dimension Data indeed -- they're not all that different from the fact that the now unsupported Windows XP still exists in enterprises -- and in large numbers.
I think what we're seeing here is the maturation of networks and IT in general, and the stagnation of solutions for doing something about the associated security flaws. It underscores the two long-time challenges of information security:
1. Lack of a risk-based approach
2. Not enough support and budget from management to get systems to where they need to be
Some may view these network device flaws as a mere bump in the road when looking at the big picture, and that may be true. But only you'll know given your specific situation. Those bumps in road can not only throw your security out of alignment, but also upset your program's balance so much that you end up in a ditch. Think Heartbleed, denial-of-service attacks and the like -- when network systems are left unsecured, something will happen eventually. It might not be a direct information loss, but it could take your network down.
The important thing to factor into a security risk assessment is not only the age of a device but also the general level of risk it poses to the network and the business as a whole. This includes known and easily-exploitable vulnerabilities, whether or not the manufacturer is still providing updates, and whether or not your maintenance agreement has run out. Everything is fair game for attack, including boring old routers, switches and seemingly resilient firewalls. That said, just because a system is old or because a thousand stars have to align in order for an attacker to exploit a flaw for ill-gotten gains doesn't mean it has to be replaced.
There's also the issue of now outdated physical security systems on many enterprise networks waiting to be exploited. Find out where things stand with security and then take the proper steps to implement compensating controls, otherwise you're going to have to live with the associated risks. That may be OK; just make sure management is making the final decision.
Ask the Expert!
Perplexed about network security? Send Kevin Beaver your questions today! (All questions are anonymous.)
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.