A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, "phishing" alerts, commentary regarding staffing levels. etc. etc.
Cyber Security Report
September 17, 2009 at 1:43 pm #80834
with MINIMAL spreading of FUD (Fear Uncertainty & Doubt)
Major Organizations Overlooking High Priority Security Risks, Too Much Focus on OS
According to a new security report released today by SANS Institute, TippingPoint and Qualys, the number of vulnerabilities found in applications in the last few years is far greater than the number of vulnerabilities discovered in operating systems. "On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk."
Main findings in the report include:
* Unpatched popular client-side applications put businesses at risk for data theft: PC applications often remain unpatched, compromising these machines to be used to propagate attacks and compromise internal computers. This leaves a window open for hackers to steal critical data, impact network performance and affect business continuity. Examples of these applications include Adobe Acrobat Reader, Microsoft Office and Apple QuickTime.
* The number of Web application attacks is increasing, elevating the threat posed by previously trusted Web sites: Web applications comprise more than 60 percent of the total attack attempts occurring on the Internet. These vulnerabilities are being exploited widely to convert trusted Web sites into malicious servers serving client-side exploits.
* Operating system vulnerabilities are decreasing, but still pose a significant threat to an organization's security resources: Operating systems (OS) have a lower number of vulnerabilities that can be remotely exploited to become massive Internet worms. The Conficker/Downadup is the exception and represents a major hole in many organizations' security strategy. Attacks on Microsoft OS were dominated by Conficker/Downadup worm variants. For the past six months, over 90 percent of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067.
* A growing number of vulnerability researchers is causing a backlog of unpatched software and a greater risk that these will be exploited. The number of people discovering zero day vulnerabilities is growing fast, yielding a growing number of vulnerabilities that remain unpatched—some for as long as two years. This lag time in patching increases the chance of hackers creating exploits targeting those vulnerabilities.
The full report can be viewd/downloaded from SANS website
September 18, 2009 at 11:06 am #80836
Another related story
According to a new report, published today by SANS, the overwhelming majority of all cyber-security risks can be laid at the door of just two areas: unpatched client-side software and vulnerable Internet facing web sites.
The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James King of TippingPoint with assistance from Wolfgang Kandek of Qualys, Johannes Ullrich of the Internet Storm Center, and Ed Skoudis and Rob Lee of the SANS Institute faculty. But, to be fair, I'm not sure that attack data from systems protecting 6000 organisations and vulnerability data from 9,000,000 systems was really needed to arrive at its conclusion.
You only need to keep an eye on the news to realise that unpatched software is being targeted by the spear phishers and bad guys, with client-side vulnerabilities in the likes of Adobe software hitting the headlines this year and last.
The SANS 'Top Cyber Security Risks' report says that it represents "the primary initial infection vector used to compromise computers that have Internet access." What is interesting is the report finding that, on average, major organisations will take at least twice as long to patch these client-side software vulnerabilities as they do to patch operating system vulnerabilities. As SANS puts it "the highest priority risk is getting less attention than the lower priority risk."
And talking of priority risks, the number two according to the report would be vulnerable web sites. SANS says that attacks against web applications constitute "more than 60% of the total attack attempts observed on the Internet." No real shocker there either then, especially coming hot on the heels of another report which suggests that some 90% of all web applications have at least one medium risk vulnerability present and 27% have at least one high risk. The SANS numbers pretty much match up with other reports, suggesting that SQL injection and Cross-Site Scripting in web applications account for around 80% of the vulnerabilities reported. Again, almost incredulously, web site owners are simply failing to effectively scan for the most common of flaws and leaving their sites and applications open to abuse.
On the good news front, OS worms are down with only Conficker making any real impact between March and August this year. That impact looks like continuing though, with emerging news that Conficker is back with a scareware twist in the tail. On the not so good news front, zero-day vulnerabilities have continued to rise significantly over the last three years with some remaining unpatched for as long as 2 years.
You must be logged in to reply to this topic.