September 15, 2009, 4:47 AM — The latest report from the SANS Institute on top cyber security risks does something new: the organization paired actual attack data from two security vendors, TippingPoint (which makes network intrusion prevention systems) and Qualys (which sells application vulnerability scanning tools). The report finds that unpatched applications are more of a risk than the underlying operating system itself, mainly because many of these applications are far more vulnerable because they haven't been brought up to date by corporate IT departments. "On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities," says the report.
App vulnerabilities are compounded by the fact that many users run multiple browser versions making patching every helper app, such as Flash and Quick Time players, difficult at best. Flash doesn't have any automated update routine and has to work with the underlying browser for its updates. And Java has been slow in its patch cycle, according to the report.
A second threat vector is the corporate public Web site, which continues to be hammered with SQL Injection, Cross Site Scripting, and other attacks. None of these are new exploits, as the report says: "Most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience." To get an idea of how easy it is to do SQL injection, you can read my white paper that I wrote for Breach Security here several years ago.
"We cannot overstate the importance of protecting DMZ-based web applications from SQL Injection attacks. Since SQL Injection attacks offer such easy access to data, it should be assumed that any valuable data stored in a database accessed by a web server is being targeted."
Driving this point home further, this week the ad servers for the New York Times' Web site was compromised by a phony Vonage ad that tricked users into downloading malware. Making matter worse, it took the Times' IT department several days to determine the source of the problem.
Finally, the report warns that zero-day vulnerabilities are on the rise, and often unresolved years after their discovery. They are also getting easier to find, both for researchers and criminals alike:
"For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability."
TippingPoint reported that vulnerabilities that were more than two years old were still waiting for patches.
