Daft users and insecure web apps dominate threat index

Software vulns are so last year

Providing a secure and efficient Helpdesk

Cyber criminals and spies have shifted their focus of attack in response to improved security defences.

Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

The latest edition of the SANS Institute's Top 20 Internet Security Risks list, published Tuesday, highlights a shift away from traditional avenues of attack against flaws in commonly used software packages towards more customised and targeted assaults. Although the Top 20 focuses on emerging attack patterns, old-school vulnerabilities remain a problem.

Browser security bugs and the like are still being targeted by automated attack programs that scan the web for vulnerable systems. A new system can expect to survive only five minutes on the net before being attacked, according to experts at the SANS Institute's Internet Storm Centre.

Qualys, which markets tools that scan for vulnerabilities, reports a "huge jump" in the vulnerabilities in Microsoft Office products, up 300 per cent over the last 12 months. Excel vulnerabilities were the main factor in this growth, according to Amol Sawarte, manager of the vulnerability labs at Qualys.

Patching and standard defences (such as firewalls and intrusion detection) tools go a long way towards fighting off attacks against software vulnerabilities. Defending against user stupidity or attacks against customised applications is a much harder task.

"For most large and sensitive organisations, the newest risks are the ones causing the most trouble," said Alan Paller, director of research at SANS. "The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."

Web application security is a particularly thorny issue because many developers know little about security. Once breached, web applications provide a handy avenue into to back-end databases that hold sensitive information.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," Paller said.

Forty-three security experts from government, industry, and academia in a half dozen countries cooperated to produce the Top 20 threat list of the worst security risks. Suppliers agree that securing web applications is among the toughest challenges facing the industry.

"Although half the total vulnerabilities reported in 2007 are in web applications, it’s only the tip-of-the-iceberg," said Rohit Dhamankar, senior manager of security research for TippingPoint. "These data exclude vulnerabilities in custom developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits. This vicious circle of compromise is proving to be harder to break each day".

As in past years, Qualys has released a tool (registration required) that allows users to test computers for the elements on the Top 20 that lend themselves to remote testing.

Best practices for preventing top 20 risks:

  1. Configure systems, from the outset, with the most secure configuration available from the vendor and use automation to keep users from installing/uninstalling software.
  2. Use automation to make sure systems maintain their secure configuration and remain fully patched with the latest software versions and anti-virus updates.
  3. Proxy critical client level services.
  4. Protect sensitive data through encryption, access controls, and automated data leakage protection.
  5. Use automated innoculation for awareness, and establish penalties for those who do not follow acceptable use policy.
  6. Perform proper DMZ segmentation using firewalls.
  7. Push to minimise the security flaws in web applications by testing programmers' security knowledge and testing the software for flaws.

In other words, as SANS summarises, trust but verify through automation and testing. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story


A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.