At the end of last week, SEC Consult Vulnerability Lab issued a security advisory for several Barracuda Networks devices regarding an undocumented backdoor in the firmware that enables an attacker to gain administrative rights to the appliances via SSH from certain ranges of public IP addresses and logging in with a pre-defined
username and password. While Barracuda quickly released a patch for this vulnerability, this raises the importance of defining and reporting on baseline security device configurations.
“…You lying so low in the weeds
I bet you gonna ambush me…”
– Lyrics from Heart’s Barracuda
Implementing the right security tools and policies are certainly important when it comes to defending the network, but if your devices are out of date or improperly configured, your network may be exposed to greater risk of a cyber-attack. Attackers search for holes in the network – firewalls, routers, and other security devices – and exploit those gaps to penetrate defenses, which is why the SANS Institute lists network security device configurations as one of its Critical Controls (Critical Control #10).
Being able to run configuration checks on your security devices is a key method for minimizing your network’s attack surface. Some organizations run manual device configuration checks, but these are error-prone and add significant operational burden and cost. Whether its an out-of-date OS on a router or a backdoor, these configuration lapses give the bad guys an opening, so you should raise the level of priority of secure device configuration within your organization.
If you can automatically generate reports that compare device configurations to pre-defined baseline profiles developed from security best practices as well as your corporate policy, then you have taken the next step (and there are solutions out there to help with this). Automated configuration checks provide you with the necessary visibility and control to immediately identify and mitigate network device configuration risks – without putting a big strain on your IT resources.
Morale of the story here is don’t make it easy on the bad guys to gain unauthorized access to your networks and information!
Receive notifications of new posts by email.
We don not ask your personal information to access any of our resources.