Security-conscious UK companies are getting better at eliminating high-risk vulnerabilities from their networks, but are beginning to slack off where it comes to medium-risk security holes, according to NTA Monitor's sixth-annual security audit.

The audit, published this week, is based on nearly 500 regular network perimeter security tests, and found that a third of networks had at least ten flaws, opening them to "considerable risk of malicious attack", the report said. And these are likely to be among the most secure networks in Britain, NTA Monitor said. "The people who go to the trouble and expense to commission penetration tests are probably in the upper quartile of secure sites," said NTA technical director Roy Hills. He compared the situation to locking the front door and turning the burglar alarm on, but leaving the windows open and forgetting to latch the back gate.

The proportion of critical vulnerabilities has dropped, being found in only 3.9 percent of tests, down from 21 percent in 2001 and 6.0 percent in 2003, but more medium and low-level holes appeared this year, up from 73 percent last year to 74 percent this year.

As companies get more efficient at keeping high-profile flaws under control, the presence of more routine problems will become more important, NTA said, with hackers looking for the easiest route of entry. NTA also believes that virtual private networks (VPNs) are likely to become more of a focus for attackers, which could prove serious, since network managers are under the mistaken impression that VPN servers are less vulnerable than Web or email servers. "There are a lot of VPN vulnerabilities around, but there's a perception out there that because they use strong security, VPNs are invulnerable," said Hills.

NTA defines a critical flaw as one that is well-known and gives an attacker control of a system on its own. Medium-level flaws may provide attackers information that could be used to mount a successful attack, could be used in combination with other flaws to gain control of a network, or could allow denial-of-service (DoS) attacks.

For example, NTA routinely found problems in the way routers were configured, usually routers outside the firewall connecting the company to their ISP. An attack on such a device wouldn't allow access to a network, but could knock the company offline, a serious enough result. "If you go back five or ten years that would not necessarily be a terrible thing, but the Net is more business-critical now," Hills said.

Companies can't afford to allow medium-level vulnerabilities to hang around, Hills said, particularly as the general level of security is constantly rising. "You need to be at least average on security. If you fall below the average, you're going to present a more attractive target."

VPNs can often create a security issue simply because they are not considered to be vulnerable, according to Hills. Almost every VPN the company has tested was found to have vulnerabilities, and attackers are known to routinely scan for VPN systems, Hills said. "It is common for customers to say, 'We know our VPN is secure, but we'd like you to test it anyway.' People are surprised when we say we've got user names, received a hash from the VPN server, cracked it and entered the system," Hills said.

VPN servers also make attractive targets because a successful exploit gives the attacker full access to a company's internal network, behind the firewall. "Normally, even if you breach an email or Web server, it's going to put you into a DMZ, not on the internal network," Hills said.

The audit included NTA customers in the private and public sector and completed on 31 March 2004.