There are glimmers of good news to be found in the newly published SANS report on The Top Cyber Security Risks which is an exhaustive survey of attack data collected from the intrusion prevention systems of over 6000 organizations. But the report reveals how gaps in organizational security policies lead directly to an avalanche of critical weaknesses in the IT infrastructure. As a result, this report should be considered a must read for anyone involved in information security.
On the client side, the report indicates that there have been no new widespread worms on the order of Conficker/Downadup that have been detected in the wild. Nonetheless, attacks on the OS vulnerabilities that lead to worm type malware have tripled from early summer to late summer, giving the indication that the miscreants are not giving up attacking operating systems. More troubling, though is the rise in attacks on vulnerabilities in common applications like Adobe Reader, QuickTime, Adobe Flash and Office. Given that organizations take twice as long to patch these applications as they do to patch the OS, SANS observes that “the highest priority risk is getting less attention than the lower priority risk.” IT organizations are aware that attacks on applications vulnerabilities often occur through the exploitation of targeted email attachments as well as “drive by” attacks over the web by visiting nefarious sites intentionally hosting malware. Unfortunately, the report makes clear that the IT security picture is more complicated since numerous trusted internet sites have been compromised so as to surreptitiously become a host and attack vector for malware. This leads directly to the SANS findings on the server side.
The SANS report indicates that a staggering 60% of attacks detected in the wild attacks are directed at Internet facing web applications. These attacks are not only directed at information disclosure vulnerabilities, but also have the intention of altering the public facing application to become a new stealth malware host. Both open source web application frameworks and custom applications are actively being targeted using the well known techniques of SQL Injection and Cross Site Scripting vulnerabilities. A successful attack on an organization’s public facing web site will exploit the trusted relationship the company has with its customers to distribute malware to those same customers. Since the report observes that “most web site owners fail to scan effectively for the common flaws,” the situation is becoming more widespread. As an architect of web-based enterprise applications, the report clearly shows that the attention paid to threat modeling and remediation on public facing applications can no longer be considered an option, but rather are important factors that must considered at every point of the software development lifecycle.
In conclusion, the SANS report is a great snapshot of the current threat to Internet security. Fortunately, the report concludes with references and recommendations for steps to remediate and control the top security risks identified in the report. As a result, this report should be read and digested by anyone involved in internal or external information security.
[This article first appeared on the Analysts International corporate blog.]