Daft users and insecure web apps dominate threat index

Software vulns are so last year

Providing a secure and efficient Helpdesk

Cyber criminals and spies have shifted their focus of attack in response to improved security defences.

Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built applications, according to the latest annual threat landscape report by the SANS Institute.

The latest edition of the SANS Institute's Top 20 Internet Security Risks list, published Tuesday, highlights a shift away from traditional avenues of attack against flaws in commonly used software packages towards more customised and targeted assaults. Although the Top 20 focuses on emerging attack patterns, old-school vulnerabilities remain a problem.

Browser security bugs and the like are still being targeted by automated attack programs that scan the web for vulnerable systems. A new system can expect to survive only five minutes on the net before being attacked, according to experts at the SANS Institute's Internet Storm Centre.

Qualys, which markets tools that scan for vulnerabilities, reports a "huge jump" in the vulnerabilities in Microsoft Office products, up 300 per cent over the last 12 months. Excel vulnerabilities were the main factor in this growth, according to Amol Sawarte, manager of the vulnerability labs at Qualys.

Patching and standard defences (such as firewalls and intrusion detection) tools go a long way towards fighting off attacks against software vulnerabilities. Defending against user stupidity or attacks against customised applications is a much harder task.

"For most large and sensitive organisations, the newest risks are the ones causing the most trouble," said Alan Paller, director of research at SANS. "The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."

Web application security is a particularly thorny issue because many developers know little about security. Once breached, web applications provide a handy avenue into to back-end databases that hold sensitive information.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," Paller said.

Forty-three security experts from government, industry, and academia in a half dozen countries cooperated to produce the Top 20 threat list of the worst security risks. Suppliers agree that securing web applications is among the toughest challenges facing the industry.

"Although half the total vulnerabilities reported in 2007 are in web applications, it’s only the tip-of-the-iceberg," said Rohit Dhamankar, senior manager of security research for TippingPoint. "These data exclude vulnerabilities in custom developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits. This vicious circle of compromise is proving to be harder to break each day".

As in past years, Qualys has released a tool (registration required) that allows users to test computers for the elements on the Top 20 that lend themselves to remote testing.

Best practices for preventing top 20 risks:

  1. Configure systems, from the outset, with the most secure configuration available from the vendor and use automation to keep users from installing/uninstalling software.
  2. Use automation to make sure systems maintain their secure configuration and remain fully patched with the latest software versions and anti-virus updates.
  3. Proxy critical client level services.
  4. Protect sensitive data through encryption, access controls, and automated data leakage protection.
  5. Use automated innoculation for awareness, and establish penalties for those who do not follow acceptable use policy.
  6. Perform proper DMZ segmentation using firewalls.
  7. Push to minimise the security flaws in web applications by testing programmers' security knowledge and testing the software for flaws.

In other words, as SANS summarises, trust but verify through automation and testing. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.