A new report that looks at data collected from March-August 2009, from the SANS Institute, TippingPoint, and Qualys, essentially says IT security teams are misdirected. Security operations within IT are focused on operating system issues, leaving the two largest security problems, client-side software and web applications, on the back burner.
IT focused on the wrong threats to the network study says.
The attack data in the report comes from IPS appliances deployed by TippingPoint at some 6,000 companies and government agencies. Vulnerability data comes from Qualys, via various appliances and software that monitored more than 9,000,000 systems, running over 100,000,000 scans. The combined information from Qualys and TippingPoint was then vetted by the SANS Institute, and the Internet Storm Center.
The report focuses on three things. The first is that IT operations for the most part are making great strides in patching and securing the infrastructure from operating system threats. Other than the issues with Conficker, there were no new Worms based on operating system flaws during the time the data was collected. With that said, the other side of the operating system coin is that the number of buffer overflow attacks tripled from May-June to July-August, accounting for more than 90-percent of the attacks against Windows.
The other two issues, mostly ignored by IT security, are the reason buffer overflow attacks worked so well during the testing period. The jump in the overflow based attacks correlated with the increase in the number of client-side software and web application vulnerabilities.
“Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access,” the report says while discussing client-side software.
According to the report, client-side software vulnerabilities are patched much slower than the vulnerabilities discovered in an operating system. For example, vulnerabilities in Adobe Reader, Flash, and Microsoft Office were patched days, if not weeks, after patches were applied to Windows.
When it comes to attacks against web applications, they account for more than 60-percent of the attack attempts seen online. Vulnerabilities, such as SQL Injection (SQLi) and Cross-Site Scripting (XSS), accounted for more than 80-percent of the problems observed in open-source as well as custom applications. The two vectors of attack are linked by criminals, who will compromise a web application and use it to distribute client-side software exploits. Yet, web applications and client-side software take a back seat when it comes to security planning.
Another interesting observation from the report, tied to the buffer overflow increase, the web application, and client-side security issues, is the increase in zero-day vulnerabilities.
“World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities…Some vulnerabilities have remained unpatched for as long as two years,” says the report.
The report also mentions that there is a corresponding lack of skilled researchers working for software vendors. Correctly pointing out that these skilled researchers could locate zero-day issues before the criminals do. The problem with this observation isn't a lack of skilled researchers looking for legit security jobs, it’s just that the companies can’t or won’t hire them.
This could be due to lack of funding, or to the lack of “certification” held by the potential hire. Security certifications are expensive, so many of those who are able to do the work, often never get into the legitimate research field for lack of official education and training. Sometimes, hands-on knowledge simply doesn’t outweigh those little letters after your name.
Again, the overall focus of the report is web application and client-side software vulnerability mitigation. Those are the two most common vectors of attack, and the two avenues of defense often pushed aside within IT. Included with the report are mitigations for HTTP Server threats, as well as a best practices guide for mitigation and control for the top risks.
You can read the entire report online here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story