Three common factors emerges when dealing with network security, these are vulnerability, threat, and attack.
An experienced hacker knows that every network or device has a certain degree of vulnerability or weakness, and they take advantages of each security weakness or loophole to exploit the network. A Computer network hackers work round the clock in search of unsecured networks or devices to exploit. These includes routers, switches, desktops, servers, and even security devices.
They use variety of tools, programs and scripts to accomplish these threats. The primary network vulnerabilities or weaknesses are:
Technological, Configuration and Security policy weaknesses:
Technological weaknesses: as mentioned earlier, every computer network and device has an inherent security weakness. These include TCP/IP protocol (HTTP, FTP, SMTP, SNMP) on which the Internet was designed, operating system (Unix, Linux, Mac OS, Windows OS, and network equipment weaknesses (Routers, Firewalls, Switches etc) .
Configuration weaknesses: incorrect configuration or application of security software or firewall devices due to laxity can help to compromise a network. These includes unsecured user accounts information or passwords, system accounts information or passwords, misconfigured internet services, unsecured default settings within products, misconfigured network equipments – ACLs or routing protocols. All of the above enable the creation of security holes that every experienced hacker is looking out for.
Security policy weaknesses: Every organisation must have a security policy that governs and maintains how the network or company information should be used. Security risks to the network exist if users do not follow the security policy. Security weaknesses emerge when there is no clear cut or written security policy document. A security policy meets these goals:
i. To Inform users, staff, and managers of their obligatory requirements for protecting technology and information assets
ii. Specifies the mechanisms through which these requirements can be met
iii. Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy