New Report Indicates that Cyber Attacks are Focused on Two Key Vulnerabilities

According to a new report, "The Top Cyber Security Risks", jointly issued by security vendors TippingPoint and Qualys, as well as the Internet Storm Center and SANS Institute, more than half of current cyber attacks against businesses and government agencies are focused on two common vulnerabilities. The report finds that client-side software and Internet-facing websites are the greatest cyber risks.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers who have infected visitors via insecure websites, the report says.

How Client-side Exploits Happen
Client-side software is so vulnerable because the client programs are now the front door through which attackers walk to gain access to the rest of the environment. "Without proper security of client systems, attackers can compromise such systems on internal networks and use them as a jump-off point for complete control within an enterprise environment," according to the report.

Because visitors feel safe downloading documents from trusted sites, they are easily fooled into opening documents and media (music, videos) that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software.

The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations, and also to install back doors through which the attackers can return for further exploitation.

Web Application Attacks
The second critical area where hackers are focusing includes vulnerable Web site applications. Attacks against Web applications constitute more than 60 percent of the total attack attempts observed on the Internet, according to the report. These vulnerabilities are being exploited widely to convert trusted Web sites into malicious sites, serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open-source, as well as custom-built applications, account for more than 80 percent of the vulnerabilities being discovered. Most website owners are running scans every quarter, but most of those scans look for operating system errors and are ineffective in looking for SQL injection or cross-site scripting flaws.

In many cases, the Web applications are compromised via mass-customized tools that are able to detect and exploit a wide range of vulnerabilities (for example Web applications with SQL injection flaws running Microsoft SQL server as a back end, or Web applications written in PHP with remote file inclusion vulnerabilities). "These attacks are so successful because users trust these websites and are willing to install software or follow links that are offered by these websites," the report adds. These attacks also affect millions of systems and are among the most pervasive ways to distribute malware.

What can be done
On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities, according to the new report. In other words, the highest priority risk (client-side vulnerabilities) is getting less attention than the lower priority risk (OS vulnerabilities).

Organizations need to have a better system for deploying patches to client-side software -- especially third-party programs. They need to configure their systems so that users log on to systems without local administrative privileges. Web application vulnerabilities continue to proliferate, acting as a vehicle for client infection or stealing sensitive data. The battle has moved from targeting traditional network services to a focus on client-side software and Web applications.

The report indicates that large scale exploitation of Web applications will continue and become more sophisticated. "These attacks can be mass-customized and launched with simple tools against a large number of systems," according to the report. "Developers need to prevent these simple flaws in the future, and system administrators need to find better way to inventory and secure these applications in the enterprise."

This report is different from any study done before, because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies).

The amazing data is that enterprises are prioritizing what is unimportant, and delaying fixing the main attack targets. The report can be expected to result in the shift of a lot of money around in organizations because the findings are hard to ignore. Given the strength of the data, not acting could be seen as obvious negligence.

The full report can be seen at http://www.sans.org/top-cyber-security-risks/ 

The views expressed in this column are solely those of the author and do not reflect the views of SVB Financial Group, or Silicon Valley Bank, or any of its affiliates. This material, including without limitation the statistical information herein, is provided for informational purposes only. The material is based in part upon information from third-party sources that we believe to be reliable, but which has not been independently verified by us and, as such, we do not represent that the information is accurate or complete. The information should not be viewed as tax, investment, legal or other advice nor is it to be relied on in making an investment or other decisions. You should obtain relevant and specific professional advice before making any investment decision. Nothing relating to the material should be construed as a solicitation or offer, or recommendation, to acquire or dispose of any investment or to engage in any other transaction.