This risk relates to Services that have been identified which contain a known vulnerability to attack or compromise. Some examples of services would be a Database (e.g. MySQL) or a Web Server (e.g. Apache).
Obsolete Services
This risk relates to Services that have been identified and are using software which is out of date and no longer supported or maintained by its developer. This means that bugs won’t be fixed and vulnerabilities will not be patched and may not even be publicly disclosed until they have been exploited by attackers. Running any out-of-date software makes an organisation extremely vulnerable to attack (just like running vulnerable services) and service failure.
Misconfigured Services
Types of services such as:
- Databases which may contain personal or sensitive commercial data
- Developer or administration access points to computers
- Routers or network equipment
Will immediately attract the attention of attackers and should be hidden behind firewalls, strongly enforced logins or be only accessible via a VPN. There are regular incidents reported of organisations leaving databases containing sensitive data freely accessible directly from the Internet.