Feeds

Daft users and insecure web apps dominate threat index

Software vulns are so last year

Remote control for virtualized desktops

Cyber criminals and spies have shifted their focus of attack in response to improved security defences.

Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

The latest edition of the SANS Institute's Top 20 Internet Security Risks list, published Tuesday, highlights a shift away from traditional avenues of attack against flaws in commonly used software packages towards more customised and targeted assaults. Although the Top 20 focuses on emerging attack patterns, old-school vulnerabilities remain a problem.

Browser security bugs and the like are still being targeted by automated attack programs that scan the web for vulnerable systems. A new system can expect to survive only five minutes on the net before being attacked, according to experts at the SANS Institute's Internet Storm Centre.

Qualys, which markets tools that scan for vulnerabilities, reports a "huge jump" in the vulnerabilities in Microsoft Office products, up 300 per cent over the last 12 months. Excel vulnerabilities were the main factor in this growth, according to Amol Sawarte, manager of the vulnerability labs at Qualys.

Patching and standard defences (such as firewalls and intrusion detection) tools go a long way towards fighting off attacks against software vulnerabilities. Defending against user stupidity or attacks against customised applications is a much harder task.

"For most large and sensitive organisations, the newest risks are the ones causing the most trouble," said Alan Paller, director of research at SANS. "The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."

Web application security is a particularly thorny issue because many developers know little about security. Once breached, web applications provide a handy avenue into to back-end databases that hold sensitive information.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," Paller said.

Forty-three security experts from government, industry, and academia in a half dozen countries cooperated to produce the Top 20 threat list of the worst security risks. Suppliers agree that securing web applications is among the toughest challenges facing the industry.

"Although half the total vulnerabilities reported in 2007 are in web applications, it’s only the tip-of-the-iceberg," said Rohit Dhamankar, senior manager of security research for TippingPoint. "These data exclude vulnerabilities in custom developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits. This vicious circle of compromise is proving to be harder to break each day".

As in past years, Qualys has released a tool (registration required) that allows users to test computers for the elements on the Top 20 that lend themselves to remote testing.

Best practices for preventing top 20 risks:

  1. Configure systems, from the outset, with the most secure configuration available from the vendor and use automation to keep users from installing/uninstalling software.
  2. Use automation to make sure systems maintain their secure configuration and remain fully patched with the latest software versions and anti-virus updates.
  3. Proxy critical client level services.
  4. Protect sensitive data through encryption, access controls, and automated data leakage protection.
  5. Use automated innoculation for awareness, and establish penalties for those who do not follow acceptable use policy.
  6. Perform proper DMZ segmentation using firewalls.
  7. Push to minimise the security flaws in web applications by testing programmers' security knowledge and testing the software for flaws.

In other words, as SANS summarises, trust but verify through automation and testing. ®

Intelligent flash storage arrays

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.