Cyber Attacks Shift to Network Devices, Apps

After years of writing viruses and worms for operating systems andsoftware running on Internet servers, hackers found some new areas totarget in 2005, according to a report on security trends publishedTuesday.

Over the past year, attackers have switched their focus to networkdevices and applications, specifically back-up software and even thesecurity software designed to protect computers, according to the 2005SANS Top 20 list of the most critical Internet securityvulnerabilities, says Alan Paller, director of research with the SANSInstitute, a training organization for computer security professionals.

“There has been a 90-degree turn in the way attackers are coming afteryou,” Paller says. Most organizations have adopted means toautomatically patch vulnerabilities in operating systems, he says, butnot in applications. “Those applications don’t have automated patching,so we’re back to the Stone Age.”

And by exploiting flaws in networking gear, hackers are finding their way onto corporate networks.

“Other, more sophisticated attackers, looking for new targets, foundthey could use vulnerabilities in network devices to set up listeningposts where they could collect critical information that would get theminto the sites they wanted,” he added.

This new focus on client applications and networking products hashappened because so many server-side and operating system bugs havebeen fixed, says Gerhard Eschelbeck, CTO and vice president ofengineering with Qualys, and a contributor to this year’s list. “A lotof the low-hanging fruit has been identified now,” he says. “We reallyreached a tipping point earlier this year, where people started to lookaggressively at client-side applications.”

Security researchers also started looking at vulnerabilities innetworking products, thanks in part to a controversial presentation bysecurity researcher Michael Lynn at this year’s Black Hat 2005conference in Las Vegas. Cisco sued Lynn after he discussed securityproblems in the Internetwork Operating System (IOS) software that isused by Cisco’s routers.

This is the first year that networking products have appeared on theSANS list, with Cisco vulnerabilities taking three of the 20 slots. Thelist also includes nine common application vulnerabilities, two Unixproblems and six Windows issues, all of which “deserve immediateattention from security professionals,” according to SANS.

One way to prevent such security flaws is to demand that vendorsdeliver hardened products to begin with, Paller says. For example, theThe U.S. Air Force gave Microsoft a large sum of money to develop asecure version of Windows that is now running at two sites.

“The Air Force decided it couldn’t afford to keep buying brokensoftware from Microsoft,” he says. “We think that action is the heraldof what will one day… turn the tide, with the government leading byexample. It doesn’t take much of that to turn vendors into securityvendors.”

The SANS Top 20 list, published annually since 2000 (see last year’slist ), is compiled by representatives from a variety of computersecurity organizations, including the U.S. Computer Emergency ResponseTeam, the British Government’s National Infrastructure SecurityCo-Ordination Centre and the SANS Internet Storm Center. The list isdesigned to give security professionals a quick sense of the industry’sconsensus on which commonly targeted security vulnerabilities requiretheir most immediate attention. It has traditionally focused on Windowsand Unix vulnerabilities, as well as problems with some server-sideapplications.

By Robert McMillan and Cara Garretson – Network World (US online)