SANS Report: We're Focusing on the Wrong Security Threats

The Top Cyber Security Risks

Two risks dwarf all others, but organizations fail to mitigate them

Featuring attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis and tutorial by the Internet Storm Center and key SANS faculty members. - September 2009



Contents

• Executive summary


• Overview


• Vulnerability exploitation trends


• Application vulnerabilities exceed OS vulnerabilities


• Web application attacks


• Windows: Conficker/Downadup


• Apple: QuickTime and six more


• Origin and destination analysis for four key attacks


• Application patching is much slower than operating system patching


• Tutorial: Real-life HTTP client-side exploitation example


• Step 0: Attacker places content on trusted site


• Step 1: Client-side exploitation


• Step 2: Establish reverse shell backdoor using HTTPS


• Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot


• Step 5: Pass the hash to compromise domain controller


• Steps 6 and 7: Exfiltration


• Zero-day vulnerability trends


• Best practices in mitigation and control of the top risks


• Critical Controls - As Applied to HTTP Server Threats

Executive Summary

Priority One: Client-side software that remains unpatched.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites. (See Priority Two below for how they compromise the web sites). Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software. The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation. On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.

Priority Two: Internet-facing web sites that are vulnerable.

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.

Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.

Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period. Even so, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90% of attacks seen against the Windows operating system.



Click here to Read the Full Report

Related articles by Zemanta

• Bits: Security Pros Are Focused on the Wrong Threats (bits.blogs.nytimes.com)


• Companies patch OS holes, but biggest priority should be apps (infoworld.com)


• Organizations fail to address top cyber vulnerabilities, report says (seattlepi.com)


• SANS Report Says Organizations Focusing On the Wrong Security Threats (tech.slashdot.org)