Daft users and insecure web apps dominate threat index

Software vulns are so last year

The essential guide to IT transformation

Cyber criminals and spies have shifted their focus of attack in response to improved security defences.

Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

The latest edition of the SANS Institute's Top 20 Internet Security Risks list, published Tuesday, highlights a shift away from traditional avenues of attack against flaws in commonly used software packages towards more customised and targeted assaults. Although the Top 20 focuses on emerging attack patterns, old-school vulnerabilities remain a problem.

Browser security bugs and the like are still being targeted by automated attack programs that scan the web for vulnerable systems. A new system can expect to survive only five minutes on the net before being attacked, according to experts at the SANS Institute's Internet Storm Centre.

Qualys, which markets tools that scan for vulnerabilities, reports a "huge jump" in the vulnerabilities in Microsoft Office products, up 300 per cent over the last 12 months. Excel vulnerabilities were the main factor in this growth, according to Amol Sawarte, manager of the vulnerability labs at Qualys.

Patching and standard defences (such as firewalls and intrusion detection) tools go a long way towards fighting off attacks against software vulnerabilities. Defending against user stupidity or attacks against customised applications is a much harder task.

"For most large and sensitive organisations, the newest risks are the ones causing the most trouble," said Alan Paller, director of research at SANS. "The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."

Web application security is a particularly thorny issue because many developers know little about security. Once breached, web applications provide a handy avenue into to back-end databases that hold sensitive information.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," Paller said.

Forty-three security experts from government, industry, and academia in a half dozen countries cooperated to produce the Top 20 threat list of the worst security risks. Suppliers agree that securing web applications is among the toughest challenges facing the industry.

"Although half the total vulnerabilities reported in 2007 are in web applications, it’s only the tip-of-the-iceberg," said Rohit Dhamankar, senior manager of security research for TippingPoint. "These data exclude vulnerabilities in custom developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits. This vicious circle of compromise is proving to be harder to break each day".

As in past years, Qualys has released a tool (registration required) that allows users to test computers for the elements on the Top 20 that lend themselves to remote testing.

Best practices for preventing top 20 risks:

  1. Configure systems, from the outset, with the most secure configuration available from the vendor and use automation to keep users from installing/uninstalling software.
  2. Use automation to make sure systems maintain their secure configuration and remain fully patched with the latest software versions and anti-virus updates.
  3. Proxy critical client level services.
  4. Protect sensitive data through encryption, access controls, and automated data leakage protection.
  5. Use automated innoculation for awareness, and establish penalties for those who do not follow acceptable use policy.
  6. Perform proper DMZ segmentation using firewalls.
  7. Push to minimise the security flaws in web applications by testing programmers' security knowledge and testing the software for flaws.

In other words, as SANS summarises, trust but verify through automation and testing. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story


Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.