News

SANS: Security Ignores the Two Biggest Cyber Risks

Client-side application vulnerabilities and insecure web apps deserve more attention than operating systems bugs, says new research from SANS Institute

By Joan Goodchild, Senior Editor

September 15, 2009 — CSO —

Two major cyber risks dwarf all others, but organizations are failing to invest in the proper tools to mitigate them, choosing instead to focus security attention on lower risk areas, according to a report released Tuesday by SANS Institute.

The research, which draws upon data collected from March to August 2009 from thousands of organizations, claims companies give insufficient attention to today's risks and put their systems in peril by continuing to maintain the status quo with an emphasis on operating system patches and other outdated protection methods. Attack data for this research was drawn from TippingPoint appliances deployed at customer sites, while vulnerability data was collected via Qualys' scanning services.

Also see 7 Reasons Websites Are No Longer Safe

The most surprising conclusion may be that client-side application software vulnerabilities pose the largest threat to network security as opposed operating system vulnerabilities, which tend to get more attention when it comes to patching. SANS claims many spear-phishing attacks exploit vulnerabilities in commonly-used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office.

"This is currently the primary initial infection vector used to compromise computers that have Internet access," the report states.

The report notes that most large organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities, choosing to place a higher priority on the lesser risk.

In addition to unpatched client applications, SANS said the other priority for IT security now should be attention to web application vulnerabilities. Web applications constitute more than 60 percent of the total attack attempts observed on the Internet, according to the report.

"These vulnerabilities are being exploited widely to convert trusted web sites into malicious web sites serving content that contains client-side exploits," the report states. "Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80 percent of the vulnerabilities being discovered."

Despite the enormous number of attacks, and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience, said SANS researchers.

The two risks, and their tendency to be low priority for security, create a perfect storm for infection. With so many Internet-facing web sites vulnerable, and so many applications that contain bugs, it makes it easy for attackers to take advantage of unsuspecting web browsers. When users visit a trusted site, they feel safe downloading documents, or simply opening documents, music or video which exploit client-side vulnerabilities.

• Email
• Print
• Comments
• Digg This
• SlashDot