Do you do penetration testing of your own network? Is it comprehensive enough? Read this recent blog from McAfee's Avert Labs and you may wonder.

An Avert analyst read about vulnerabilities in the Cisco IP phone model 7960 and then used Google to try to find publicly accessible 7960 phones. He found "almost 10" (does that mean nine? awkward turn of phrase). One of them had the vulnerable firmware version. And the vulnerability was that the phone's Web interface reveals a lot of sensitive network information, so the company that holds that phone has a vulnerable network.

What was revealed by the phone? "... the IP addresses of the TFTP server/router/DNS server/DHCP server/Cisco Call Manager, as well as some application links, internal device configuration, and debugging information. If there are any exploitable vulnerabilities in one of these linked servers, attackers could use this information to stage further attacks."

There's always more to test for, and mistakes you make in device configuration can have dire consequences.