Network security threats weaken the defenses of an enterprise network, endangering proprietary data, critical applications, and the entire IT infrastructure.
Because businesses face an extensive array of threats, they should carefully monitor and mitigate the most critical threats and vulnerabilities. This guide to major network security threats covers detection methods as well as mitigation strategies for your organization to follow.
Also read: What is Network Security? Definition, Threats & Protections
Public Internet Threats
If your enterprise network is connected to the public internet, every single threat on the internet can render your business vulnerable too. These threats include:
- Spoofed websites: Threat actors direct internet users to sites that look legitimate but are designed to steal their account credentials.
- Downloadable malware: When clicked, links in emails or extensions on websites immediately download malicious software onto a host machine. Sometimes this malware can laterally move through the network.
- Email-based phishing attacks: These can include both of the above attacks and typically target employees through their business email accounts.
- DNS attacks: DNS cache poisoning, or hijacking, redirects a legitimate site’s DNS address and takes users to a malicious site when they attempt to navigate to that webpage.
These threaten enterprise networks because malicious traffic from the internet can travel between networks. Widespread, complex business networks are particularly challenging to protect; these can include edge and mobile networks as well as branch office networks and SANs.
To protect your business’s network from internet threats, implement the following:
- A next-generation firewall (NGFW): Installing a firewall between the public internet and your organization’s private network helps filter some initial malicious traffic.
- Network detection and response software: Firewalls won’t catch everything, and monitoring your private network regularly will reveal anomalous patterns that indicate a breach.
- Endpoint protection on all devices. Every machine connected to the network is a threat and should be monitored. This includes IoT devices.
- Segmentation. Segmentation technologies require setting policies for each network, managing which traffic can move between subnets and decreasing lateral movement.
DoS and DDoS attacks
DDoS attacks can make your public-facing applications and websites inaccessible, causing massive revenue loss. They can also be aimed at internal networks.
A denial of service (DoS) attack overwhelms an enterprise resource, often an internal network or an important application, with too much traffic. A distributed denial of service (DDoS) attack also overwhelms a system, but its requests come from multiple IP addresses, not just one location. The attacker commissions these IP addresses and then turns them on the internal network or systems at once. The system can’t handle this many requests and therefore crashes.
For any business that relies on customer-facing applications, even a short outage can be disastrous. Imagine you’re a retailer with 50 store locations. If your internal point-of-sale system goes down, you’re no longer able to complete in-store transactions until the server outage is fixed.
For customers like retailers, as well as banks and business software providers, an outage like this can be a blow to your reputation as well as a financial loss. Even a single outage, if long enough, can negatively impact how customers view your organization.
Protecting your business from DoS and DDoS attacks is challenging because they often come from external traffic, rather than from a threat within the network that can be located and halted while it’s in your system. Implementing reverse proxies on servers is one way to reduce the potential effects of DDoS attacks that only target one server. The reverse proxy has its own IP address, so when IP addresses flood the server, they go to the proxy’s IP address instead. Similar to the way reverse proxies protect web servers, the internal server’s IP address won’t be overwhelmed as easily. Note that this technique won’t protect DDoS attacks on multiple servers at a time.
Unsecured and Outdated Network Protocols
Some older versions of network protocols have vulnerabilities and bugs that have been fixed in later versions, but many businesses and systems still use the older protocols. For example, SNMP versions 1 and 2 have known vulnerabilities. Any older SSL and TLS versions than TLS 1.3 have multiple weaknesses, including the vulnerabilities that allow POODLE attacks and BEAST attacks.
To prevent attacks like these, keep every network connection upgraded to the most recent TLS version. Keep in mind that updated versions of network protocols aren’t perfect — TLS 1.3 will still have weaknesses, and they’ll eventually be uncovered. But many network vulnerabilities have already been fixed, so it’s best to use the most recent protocol versions to at least avoid already-known threats. Disable older SSL and TLS versions on your network if you have to. Your business may need to do so regardless to be compliant with data protection regulations like PCI DSS.
Additionally, if you know your networks still allow an insecure protocol like HTTP, block access to any connections that use that protocol as soon as you can.
A simple misconfiguration of a network protocol or rule can expose an entire server, database, or cloud resource. Typing one wrong line of code or failing to set up routers or switches securely can contribute to configuration errors. Misconfigured network security commands are also very difficult to find because the rest of the hardware or software appears to be working properly.
Misconfigurations also include improperly deployed switches and routers. Even failing to change a router’s default passwords is a misconfiguration, and a mistake like that allows a hacker to more easily access the router’s controls and change network settings. Switch configurations are often overlooked, too.
To solve misconfiguration errors, it’s often best for enterprises to invest in an automated configuration solution or a network security tool that can locate misconfigurations. Because network configuration errors are so challenging to find and solve, automation saves IT teams time and reduces the chance of creating another problem when attempting a fix.
If your teams choose to reconfigure network protocols and lists manually, ensure that highly experienced network admins and engineers are doing this work. It’s not a job for inexperienced IT or network personnel, since even an expert engineer can easily make a configuration mistake.
Weak Access Controls
Unauthorized network access gives bad actors a direct path into your infrastructure. And network users don’t just need to be authorized — they need to be authenticated, too. Businesses need to use authentication to verify the identity of the user, and that’s where access controls come in.
Unfortunately, some organizations either don’t set network access controls at all or only provide a broad set of controls, like a single shared password or admin permissions for all users. This is dangerous because not all network users should have the ability to change network configurations. And if a bad actor steals any user’s credentials, they’ll have full admin permissions.
All access control systems should perform both authorization and authentication:
- Authentication requires the user to present data, like a PIN, password, or biometric scan, to prove they are who they say they are.
- Authorization requires the user to view the data or use the resources on the network once they verify themselves.
- Many NAC and other security tools will also verify the device and the state of its security too.
It’s also important to specify what authorized users can view and do. Not all users on the network need administrative privileges. Access controls allow organizations to set privilege levels on the network, like read-only and editing permissions. It’s best to only give users the access level they need to do their job, known as the principle of least privilege or zero trust. This decreases opportunities for both insider fraud and accidental errors.
Human Security Threats
Employees make mistakes, whether that’s an accidental line of code or a router password exposed for the whole internet to see. Training providers offer extensive cybersecurity courses just to mitigate the high likelihood that employees will put your infrastructure in danger.
Human error plays a large role in the majority of all data breaches. According to a study done by a Stanford professor and security provider Tessian, human error causes 85% of breaches. Examples of human error include:
- Posting written router passwords or sending them over email or Slack.
- Incorrectly configuring network access controls.
- Allowing someone from outside the business into the premises where the network hardware and software is hosted.
But one area of human threat that’s often overlooked is intentional insider threats. Although these don’t happen as frequently in a standard business setting, they can be even more dangerous. Sometimes, employees choose to betray the confidence of the organization to make more money or take revenge. These insiders usually have credentialed access to a network, which makes it much easier for them to steal data.
Malicious insiders exploit proprietary information or customer data, sometimes selling it to a third party. But other insiders may just want to take revenge on the company if a coworker wronged them, they were terminated, or they believe the business is making unethical decisions. Additionally, some employees take proprietary information with them when they leave the company or retain their login credentials after termination.
To reduce human error episodes:
- Host cybersecurity training sessions every quarter. Make them interactive so that employees stay engaged, and make sure that new hires immediately know expectations.
- Have regular conversations about cybersecurity in manager and employee one-on-one meetings.
- Install software like password managers to help employees manage their credentials safely.
- Implement data loss prevention (DLP) technology and raise awareness of the potential for insider threats. Protecting both customer and proprietary data is critical for both reputation maintenance and regulatory compliance.
Malicious insider threats are more difficult to mitigate. Malicious insiders may successfully hide their feelings about the company and their intentions for months or years. Because they often have network or system credentials, their effect is harder to track. However, behavioral analytics for network users is a helpful tool to at least identify anomalous behavior. If an insider is leaking data or changing credentials, this indicates that they may be doing something intentionally.
Asking for references and performing background checks, while not a catch-all, helps businesses hire trustworthy individuals. Also, be extremely intentional with cybersecurity training and talk about good security practices constantly. While this may not stop all malicious insiders, it may give them greater pause than a business that takes a lackadaisical approach to cybersecurity.
Read more about developing a cybersecurity culture within your organization.
When connected to a business network, operational technology (OT) can provide an open door for threat actors. Operational technology often refers to hardware and software that observes and controls industrial environments. These environments include warehouses, construction sites, factories and more. OT allows businesses to manage HVAC, fire safety, and food temperature through network-connected cellular technology. Enterprise Internet of Things and Industrial Internet of Things (IIoT) devices also fall under operational technology.
Older OT devices weren’t designed with cybersecurity in mind, or whatever legacy controls they had may no longer be adequate — or fixable. Initially, equipment and sensors in plants and construction sites had no internet connection, nor were they 4G- or 5G-enabled. Current OT design makes it easy for an attacker to move laterally through networks if the devices don’t have their own security. This includes 4G and 5G devices, which can be used as back doors to corporate networks. Traffic from these won’t show up in network scans unless they also use Wi-Fi or Ethernet connections, so these communications may go entirely undetected by IT teams.
Additionally, it’s extremely difficult to backtrack and implement large-scale security for legacy operational tech that’s been in the business longer than it’s been connected to the internet. Individual devices or single OT environments might have their own security solution, but it’s not part of a broader cyber protection strategy.
Operational technology often has consequences that go far beyond IT security, especially in critical infrastructure such as food management, healthcare, and water treatment. An OT breach could do more than cost money or jeopardize tech resources like a standard network breach — it could cause injury or death. Despite this, it’s challenging for enterprises with OT to secure their devices and networks.
To protect your OT and enterprise networks, take careful inventory of what devices connect to your company network. Sooner rather than later, you’ll want to perform an audit of your OT and IoT devices. It’s difficult to know which IoT devices are on what network, particularly if you have an extensive OT deployment.
Consistently monitor all OT traffic. Any anomalies should send automated alerts to IT and network engineers.
Use secure connections for all wireless networks. If your OT devices are on Wi-Fi, ensure that the Wi-Fi uses at least WPA2.
Read more about IoT security solutions for your enterprise devices.
Although VPNs create a private tunnel for organizations’ network communications, they can still be breached. One particular vulnerability is third-party VPN access, where businesses give partners or contractors access to their applications using a VPN. It’s very difficult to restrict these third parties’ access to specific permissions, unless you use least privilege access. VPNs also don’t keep a lot of data logs to analyze later, so it’s challenging to locate the specific source of a breach if a third party does abuse their permissions.
To mitigate VPN vulnerabilities, implement least privilege access management across your infrastructure. It’ll help protect the business from third-party threats, but it’s beneficial for all application users as well, including IT and networking employees. Least privilege access gives specified users the permissions they need to do their job and nothing else. For third parties like contractors, it can limit their access to sensitive business data and applications.
Individual VPN solutions can have vulnerabilities of their own, so ensure that your business continually monitors them and patches weaknesses when needed.
Learn more about best practices for securing VPNs.
Obsolete and Unpatched Network Resources
Network hardware and software often have vulnerabilities, and these tend to reveal themselves over time. This requires IT and network technicians to stay apprised of threats as the vendor or others in the security field announce them. Outdated devices are also dangerous because they can’t be updated to the most recent firmware, which means they won’t have the latest security controls.
Obsolete routers, switches, or servers aren’t able to use the most recent security updates. These devices are risky and require additional protective controls. Other old devices, like hospital equipment, often can’t be abandoned entirely, so enterprises will likely have to set up extra security to keep them from putting the rest of the network at risk.
It’s critical for network administrators to patch firmware vulnerabilities immediately after learning of them. Threat actors move into action quickly once they learn of vulnerabilities, so IT and networking teams should be one step ahead. Automated alerts will help your business’s teams keep network resources up to date even if they can’t be on the clock.
Phase out your obsolete devices where possible, too. Eventually they’ll be a greater threat than a benefit, and they’ll continue to be incompatible with the rest of the network. It’s challenging to implement widespread security solutions for an entire network if some hardware doesn’t support it.
Over the last few years, but especially during the COVID-19 pandemic, using remote connections to office networks and resources became a popular way to complete work from home offices and other locations. Unfortunately, untrusted networks and personal devices put business networks and systems in danger.
In the early stages of the pandemic, the exploited Remote Desktop Protocol (RDP) was one of the most common ransomware attack vectors. Attackers were able to find a backdoor through RDP’s vulnerabilities or simply brute force attack by guessing passwords. Remote access Trojans also allow attackers to remotely control a machine once malware has been downloaded onto the computer through an email attachment or other software.
Other unsecure network connections, like unprotected Wi-Fi, allow thieves to steal credentials and then log into business applications from coffee shops and other public locations. Widely remote businesses have multiple methods of remote access to company resources, and it’s hard for IT and security teams to lock all of them down.
If your business still plans to use RDP:
- Limit password attempts to only a few times.
- Set difficult-to-guess passwords for RDP access.
- Limit access to specific IP addresses attached to employee devices.
- Configure strict user policies for RDP, including least privilege access. Only those who need to connect remotely to perform their job should have access.
However, if your organization can possibly avoid RDP, it’s best to do so. Because it’s so vulnerable and has been one of the main surfaces for ransomware attacks, we recommend finding another remote access plan. Securing all enterprise avenues of remote access is a broader task, but it’s a necessary one, especially when using insecure protocols like RDP.
Where Do Network Threats Come From?
Network threats come from an enormous variety of sources, but narrowed down, they can be traced to the following vectors and vulnerabilities.
Hardware sometimes has misconfigurations and outdated protocols. Devices that have been infected by malware, like routers, are a threat to the rest of the network. Also, unauthorized devices and insecure BYOD devices on the network may not have the same security controls as authorized devices and are therefore more vulnerable.
Humans make mistakes, and network security is difficult to manage even for experts because it’s so highly intricate. It’s easy for senior engineers to misconfigure a setting. Additionally, some insiders deliberately manipulate networks for their personal gain.
Malicious packets attempt to enter a network, requiring firewalls and other systems, like IDPS, to prevent them. Malicious traffic comes from multiple locations, so it’s challenging to secure all ports. Traffic IP addresses can be hidden, too, and threat actors can use different IP addresses to avoid network blacklists and thwart threat intelligence.
Sometimes hardware and software fail. DoS and DDoS attacks flood servers and render them unusable. Also, natural disasters and power surges destroy or temporarily take down networks. Although at its root this isn’t a cybersecurity issue, it can certainly weaken security controls, particularly if the main NGFW or other detection and prevention tools go down.
Network hardware and software needs to be updated with the latest protocols and patches. Unpatched vulnerabilities on network firmware are an open door for attackers. Additionally, if IT and network admins don’t regularly perform vulnerability scans, they won’t be able to identify vulnerabilities as quickly.
Network Security vs. Endpoint Security vs. Application Security
The line between network security, application security, and endpoint security is hard to draw because they all affect each other immensely. Here we’ve focused specifically on network threats and have excluded threats that originate on applications or endpoints, such as cross-site scripting or ransomware. We define application and endpoint security as follows:
- Application security: specific to software programs and their effect on the organization, network, and computer systems
- Endpoint security: specific to devices and users and their effect on an organization overall
However, endpoint devices and business applications still affect network security. A malware-infected computer or compromised CRM system can still lead to a network breach. These categories do overlap, but to avoid confusion we’ve differentiated between them in this guide.
How Can You Detect Threats?
Although network threats come from many sources, enterprises need a reliable set of detection tools and techniques to locate the majority of malicious behavior. Perimeter network security, vulnerability assessments, and automation all help businesses identify threats and give their teams time to develop a solution.
Advanced network perimeter protection like a next-generation firewall can be configured to send alerts when it detects anomalous traffic. If data packets entering the network behave strangely, that’s an early warning sign for IT and security teams. Threat intelligence from NGFWs is critical for identifying malicious traffic early. Some firewalls can also block well-known malicious websites.
Learn about fine-tuning firewalls.
Monitoring network devices and traffic helps enterprises observe patterns over a period of time. Advanced monitoring solutions like NDR are even able to scan encrypted traffic, where some threats may have slipped through the cracks.
It’s not only challenging to secure IoT devices but also to identify threats from a distributed network of smart devices. Identify all device vulnerabilities and implement network traffic monitoring specifically designed for the Internet of Things. It’s also important to locate the root of IoT threats before they spread further through the network.
Machine learning and behavioral analytics
Although firewalls and other perimeter security can identify and halt some traffic, other traffic will breach the network. Using analytics to study traffic as it moves through the network is beneficial for long-term security. A behavioral analytics solution that uses ML should be able to study ongoing traffic patterns and detect malicious behavior and C2 traffic. NGFWs and other advanced security solutions often offer ML and behavioral analytics capabilities.
Security teams can’t study networks 24/7, but automated alerts flag malicious activity immediately after it’s detected. Machine learning and behavioral analytics platforms study patterns in network traffic data, and automation sends email or Slack alerts to IT personnel immediately once an anomaly is detected.
Vulnerability scans devices and assets and compares them against a database of known vulnerabilities to identify issues like misconfigurations and outdated software. Some scanners categorize vulnerabilities by their level of risk. Some vulnerability scanning solutions also help businesses maintain compliance with cybersecurity and data protection regulations by creating policies and rules.
Learn more about vulnerability scanning solutions.
Pen testing gives enterprises clear, actionable information about their network security by hiring expert hackers to find vulnerabilities in the network. These hackers identify specific areas of weakness in web-facing assets like applications, firewalls, and servers.
Learn more about the differences between pen testing and vulnerability testing.
A computer system specifically designed to trap attackers is called a honeypot. A honeypot could be a database or application set up with a tempting name, implying sensitive information is stored there, with the intent of observing threat actor behavior before they get to critical assets. Examples of a honeypot include an additional router or a firewall that protects a fake database. Some vendors offer this as deception technology.
Protecting Your Network Against Common Threats
Networks are sprawling and complex and often contain sub-networks, a wide array of assets and devices, and connections to public networks like the internet and cloud environments. This makes them incredibly difficult to secure. However, enterprises should consistently follow trusted security practices and teach all of their employees — not just IT or engineering teams — to support those practices on their own.
Also, keep in mind that if your organization relies on cloud solutions and virtual environments, you aren’t exempt from network threats. Bad actors may still worm their way into a cloud solution’s online storage and computing environments and use the internet to compromise the organization’s broader network. Although having a cloud solution separated from your business network is beneficial, it doesn’t mean that a cleverly launched attack couldn’t still touch your network — or steal data from critical SaaS apps.
To protect your organization’s network against the most common threats, judiciously configure your networks, manage your endpoints and protocols, and thoroughly train all employees.
Practice careful configuration
Using automated solutions to detect and fix configurations helps engineers and developers avoid accidental misconfigurations. Additionally, use a reliable documentation solution to track and record all configuration changes. Tracking these adjustments gives you a better chance of finding where a configuration went wrong.
Use secure protocols
Ensure that all devices and routers on the network are running secure network protocols like HTTPS and TLS. While not perfect catch-alls, these protocols reduce the chance of bad traffic slipping through. They typically use encryption technologies to shield moving data from prying eyes.
Often, enterprises will divide large networks into smaller ones called subnets. For businesses with highly sensitive applications, segmenting the network in this way is helpful because they can require additional credentials to enter different regions of the network.
Once a bad actor breaches a business network, they often move laterally between applications and devices. But segmenting subnets means that the bad actor will have to present a new set of credentials to move into the next part of the network. This decreases lateral movement within the broader network. Businesses that segment networks might choose to set sensitive applications, like a CRM or database, behind a subnet.
Manage all endpoints
Endpoint detection and response solutions are designed to detect device threats and remediate them. They’re important for all businesses but especially critical for remote organizations. The farther endpoints are physically, the more challenging it is to protect them.
All endpoints need to be monitored for suspicious activity and should be outfitted with anti-malware software or a similar tool to detect viruses. Gaining access to a badly protected endpoint is one of the easiest ways for an attacker to breach an entire company network.
Implement a high-power firewall
Perimeter solutions like next-generation firewalls are critical for all businesses with sensitive data and applications residing on the network. Advanced firewalls do more than traditional ones, analyzing traffic for recognized threat actor patterns and allowing admins to create detailed security policies. Although firewalls don’t keep every threat away, they are a critically important line of defense for networks.
Make sure your network and IT teams are constantly analyzing network traffic and user behavior. Tools like security information and event management (SIEM) software give them a comprehensive view of the network. Both on-premises and cloud-based networks should be monitored, as should all endpoints directly connected to the network.
Train every employee
This is one of the most important measures your business can take because employee mistakes cause or exacerbate so many network security vulnerabilities. People affect internet security practices, access to physical premises, access control vulnerabilities, and network misconfigurations.
One misconception about security is that only IT, network engineers, and other tech teams like storage and cloud need to undergo cybersecurity training. But really, every employee in the organization does. The HR and finance departments won’t receive stringent instructions on things like secure protocols, but they do need to know the risks of opening email attachments, clicking on malicious links, or allowing a stranger into the office.
Unfortunately, many employees ignore cybersecurity training sessions or pick and choose which rules they want to follow. Examples include using unprotected coffeeshop networks instead of private Wi-Fi or a VPN and using the same passwords for multiple applications. Part of training programs requires businesses to increase the pressure on employees. They need to know how important security is, but they also need greater accountability.
Having more frequent training sessions helps emphasize the seriousness of network security, as well as the role that all employees — not just the IT team — play in it. Managers should also have regular conversations with direct reports about good protective practices. The more employees talk about security, the more they’ll be aware of their role in it, and the more self-conscious they’ll feel about flouting their organization’s guidelines.
Bottom Line: Network Security Threats
Security is one of the most important things a business can do, not just the IT or engineering teams but the entire organization as a whole. It helps mitigate immense financial loss from cyber attacks, as well as reputational loss, and keeps business operations running.
The need for tight cybersecurity defenses has also steeply increased in the last five years. The rise of ransomware and the sophisticated tactics of bad actors necessitate equally strong action from enterprises. No longer can IT teams and engineers sit back and hope that a firewall or good passwords will save them from the vulnerabilities that besiege their network.
Keep a close eye on all the threats mentioned above, and train your teams to detect threats and prevent them. Ensure that you don’t let little things slide — small misconfigurations or unpatched vulnerabilities can still cost the business millions of dollars if successfully exploited. It’ll take time, but commit to implement consistent and careful cybersecurity practices within your business, and eventually network security will be an immediate and natural response to all threats.
Is your business concerned about protecting your network from ransomware? Read about preventing ransomware attacks next.