Companies are refreshing their network infrastructure after years of deferred investment… and making them less secure in the process, a new report finds.

The latest Network Barometer Report from the firm Dimension Data finds that networks are getting younger for the first time in five years, but that networks are also less secure than they’ve been in five years. More than three quarters (76%) of network devices surveyed had at least one known security advisory associated with them. Last year that figure was 60%, Dimension Data said in its report.

There are lots of industry reports out there and most are thinly guised marketing. The Dimension Data Network Barometer Report is a bit different and worth noting. There’s a hard quantitative edge to it: the report is compiled from both opinion surveys (OK – subjective) and 320 Technology Lifecycle Management Assessments (TLMAs) covering 97,000 network devices in 28 countries and across multiple industry sectors during the last year. Dimension also taps data on the networks it monitors for clients that cover 300,000 incidents on more than 1.5 million assets in 105 countries.

In other words: there’s a good bit of data that informs the conclusions of the report. Among the interesting findings of the report:

• Newer devices take longer to fix than “obsolete” devices. Wait… what? You’d think that legacy networking equipment would be the hardest and take the longest to fix in the event of a vulnerability or other security issue. But Dimension’s data suggests otherwise. Obsolete and aging devices take respectively 17.1% and 32.9% less time to repair than “current” networking equipment.
  
  Why? Blame the vendor. “Because they’re new, bugs need to be fixed by the vendor, and a new version of the software issued. This process pushes up the average time to fix on current devices.” Dimension also theorizes that new devices experience what it termed a “settling in” period after new products are released during which a relatively higher volume of security issues bubbles up and requires patches and other remediation. That puts more pressure on IT staff to respond – the opposite of what most of us would assume.
• Some industries are doing better at security, some are doing worse. Overall, networks were slightly less secure in the 2016 survey, but that doesn’t mean that this was the case everywhere. Dimension found that in some sectors, great improvements in network security had taken place, while in others, the opposite was true. The company singled out the retail sector, where the percentage of network equipment running with security vulnerabilities fell from 81% to 67% from 2015 to 2016. However, in manufacturing, the percentage of devices with vulnerabilities has risen from 47% to 73% this year. More vulnerabilities in network infrastructure makes a network more attractive as a target, Dimension said.
• Network vulnerabilities are not evenly distributed. Different types of network devices were more likely to contain vulnerabilities than others. Aggregation routers and access switches were found to be the most vulnerable. Wireless routers and data center switches were the least likely to be vulnerable.
• Beware the monoculture: vulnerabilities in Cisco’s IOS operating system accounted for all five of the top five security advisories affecting networks in the survey, including vulnerabilities in IOS’s implementation of the OpenSSL technology.

The implications of the survey are clear enough: successful network hacks depend on the presence of exploitable vulnerabilities – either to gain a foothold or to spread laterally from low value assets to higher value assets. The more vulnerable equipment you have, the bigger the target on your back for hackers.

The solution for this is simple enough. Dimension found that both updating obsolete or aging equipment and patching regularly do wonders to improve the security of networks and reduce their exposure to damaging hacks.

This blog has spoken of the importance of patching before in the context of threats like ransomware, for example, or point of sales systems. This report makes it clear, however, that patching goes well beyond the endpoint. Organizations need to keep close tabs on their networking infrastructure and make sure that it, also, is up to date to prevent damaging attacks and the data and intellectual property loss that often follows them.