week 31

K1.31 Common vulnerabilities to networks, systems and devices and the application of cyber security controls:

Below is each vulnerability with its risk and control measures.

Missing Patches, Firmware and Security Updates

Risk:
Outdated systems contain known flaws that attackers exploit.

Controls:

• Patch manager software to deploy updates automatically across devices.

• Tracking network traffic to spot unusual activity that might exploit old vulnerabilities.

• Test groups/devices used to test updates before full rollout.

Password Vulnerabilities

(e.g. missing, weak, or default passwords; no lockout against brute force attacks)

Risk:
Attackers gain unauthorised access with minimal effort.

Controls:

• Enforce minimum password requirements (length, complexity, special characters) following NCSC guidance.

• Apply a password reset policy (e.g. mandatory reset if compromise suspected).

• Enable account lockout after repeated failed attempts.

Insecure BIOS/UEFI Configuration

Risk:
Attackers bypass OS-level security by modifying boot settings.

Controls:

• Review BIOS/UEFI settings to disable unused ports and secure boot.

• Update BIOS/UEFI regularly to fix firmware vulnerabilities.

Misconfiguration of Permissions and Privileges

Risk:
Users or services have excessive rights, increasing attack surfaces.

Controls:

• Regularly test permissions and access rights to match job roles.

• Scheduled auditing (e.g. immediately remove access for leavers or role changes).

Unsecure Systems (Lack of Protection Software)

Risk:
Malware infections such as viruses, worms, trojans or ransomware.

Controls:

• Install and maintain anti-malware and endpoint protection.

• Regularly update and monitor security software.

• Mitigate buffer overflow risks through updates and secure coding practices.

Insecure Disposal of Data and Devices

Risk:
Sensitive data recovered from discarded equipment.

Controls:

• Follow WEEE Directive 2013 for safe hardware disposal.

• Check and wipe all storage before disposal (e.g. degaussing, shredding drives).

Inadequate Back‑Up Management

Risk:
Loss of critical data after incidents.

Controls:

• Set back‑up frequency (daily, weekly) according to business needs.

• Use appropriate types of back‑up (full, incremental, differential).

DHCP Spoofing

Risk:
Attackers provide fake IP configurations to intercept traffic.

Controls:

• Enable DHCP snooping on network switches to validate legitimate servers.

VLAN Attacks and VLAN Hopping

Risk:
Attackers jump between VLANs to reach protected resources.

Controls:

• Conduct implementation testing of VLANs.

• Schedule regular monitoring to detect unusual VLAN activity.

Misconfigured Firewalls

Risk:
Improper rules allow unwanted traffic through.

Controls:

• Test firewall rules against policy requirements.

• Apply scheduled monitoring and updates to firewall firmware and policies.

Exposed Services and Ports

(e.g. plugging into an open Ethernet port)

Risk:
Unauthorised devices access the internal network.

Controls:

• Apply physical security controls (e.g. lock ports, secure rooms).

• Monitor network traffic for unknown devices or services.

Misconfigured Access Control Lists (ACLs)

Risk:
Traffic allowed or denied incorrectly, exposing sensitive resources.

Controls:

• Regularly monitor and review ACLs to match security policy.

Ineffective Network Topology Design

(e.g. poor placement of firewalls or screened subnets)

Risk:
Increases exposure to external threats.

Controls:

• Perform a full design review before implementation.

• Carry out implementation testing to ensure correct segmentation.

Unprotected Physical Devices

Risk:
Devices without proper software or hardening are vulnerable.

Controls:

• Install correct security software and apply configuration best practices (e.g. disable unused ports, encrypt disks).

Its Dangerous out there
Scenario:
You are a network security consultant reviewing a company’s infrastructure.

Task:
1. Pick three vulnerabilities from the list above.

2. For each:
Explain why it’s a risk.
Describe two controls you would apply to mitigate it.

Extension:
Create a checklist for the company to follow during their next security audit.

Discuss with the rest of the class the common vulnerabilities, reflect on each of the following and the impact of this, including any security control: 

  - Missing patches, firmware and security updates. 
- Password vulnerabilities. 
- Insecure BIOS/UEFI. 
- Misconfigurations. 
- Lack of protection software. 
- Disposal of data/devices. 
- Inadequate back up process. 
- DHCP Spoofing. 
- VLAN attacks. 
- Misconfigured firewalls or ACL’s. 
- Exposed services or ports. 
- Ineffective network design. 
- Unprotected devices

Last Updated
2025-07-16 08:07:49