user access to switch

[thorin]

There may be some argument that the IT dept. needs to be able to manage the device from the outside (on-call or whatever), if this is really necessary then I'd suggest:

• Disable telnet and use SSH
• Create an ACL which limits the IPs (or IP ranges) that can connect to SSH
• Ensure the devices are hardened (don't use default accounts [even if the passwords are changed])
• Ensure that passwords used for the device follow a strong process/policy (i.e.: complexity, age, history, etc.)

[Lincoln]

There may be some argument that the IT dept. needs to be able to manage the device from the outside (on-call or whatever), if this is really necessary then I'd suggest:

• Disable telnet and use SSH
• Create an ACL which limits the IPs (or IP ranges) that can connect to SSH
• Ensure the devices are hardened (don't use default accounts [even if the passwords are changed])
• Ensure that passwords used for the device follow a strong process/policy (i.e.: complexity, age, history, etc.)

Agreed, I do not know the extent of the company's needs and the above would certainly reduce the risk at least.

I was taking this more from the perspective that the company doesn't seem to either have a structured IT department or security policy in place (this is only an assumption from the posts).

They hired an inexperienced person (again nothing wrong with that) to conduct a pentest on their company. The OP mentioned that they used to consult outside for services. To me, this seems like a small company that probably doesn't need much in IT "upkeep" or complex maintenance on a regular basis since they turned the OP for help. That being said, the easiest and best thing to do would be lock this stuff down if there isn't a real need for remote management over the internet. Again, I am just basing this off what I read, I could be completely wrong.

To OP, I guess the question is what role do you have at the company? Can you address these issues? Was this just a risk assessment, or are you going to make changes to the network?

[lupin]

Lupin or anybody else,
So if risk is high, but probability is low, would you still give it a high rating? What would an experienced, seasoned hacker or attacker do with a public switch if they were able to sniff traffic and get admin privs on the device? There is obviously DOS. They could span the traffic to another device they own and sniff all company traffic coming in and out the network? What else?

There's the potential for an experienced hacker to intercept, redirect, or modify traffic flowing through the device as well as to use the switch as a pivot point to access other systems, or to use the administrative interfaces to attack administrators client machines (which can in turn be used as pivot points). An attacker installing a modified IOS image on the switch (giving the potential for arbitrary code execution from the switch) is also not out of the question.

As to determining risk we are back to looking at what that switch can access what traffic flows through it and what other systems it can communicate to. Without the benefit of business knowledge of your environment I would put both impact and probability of this at a medium to high level, making the overall risk high as well.

In determining the risk I'd also agree with thorin's point that just because you haven't been able to demonstrate a proof of concept of a full blown attack on this yourself it doesn't mean that someone else wont be able to. Because of the limited time that you have to perform any penetration test, I think that under the circumstances you would be justified in making some educated assumptions about what an attacker could do with this switch admin interface and rating the risk accordingly.