Two major cyber risks dwarf all others, but organisations are failing to invest in the proper tools to mitigate them, choosing instead to focus security attention on lower risk areas, according to a report released Tuesday by SANS Institute.
The research, which draws upon data collected from March to August 2009 from thousands of organisations, claims companies give insufficient attention to today's risks and put their systems in peril by continuing to maintain the status quo with an emphasis on operating system patches and other outdated protection methods. Attack data for this research was drawn from TippingPoint appliances deployed at customer sites, while vulnerability data was collected via Qualys' scanning services.
The most surprising conclusion may be that client-side application software vulnerabilities pose the largest threat to network security as opposed operating system vulnerabilities, which tend to get more attention when it comes to patching. SANS claims many spear-phishing attacks exploit vulnerabilities in commonly-used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office.
"This is currently the primary initial infection vector used to compromise computers that have internet access," the report states.
The report notes that most large organisations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities, choosing to place a higher priority on the lesser risk.
In addition to unpatched client applications, SANS said the other priority for IT security now should be attention to web application vulnerabilities. Web applications constitute more than 60 percent of the total attack attempts observed on the Internet, according to the report.
"These vulnerabilities are being exploited widely to convert trusted websites into malicious websites serving content that contains client-side exploits," the report states. "Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80 percent of the vulnerabilities being discovered."
Despite the enormous number of attacks, and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience, said SANS researchers.
The two risks, and their tendency to be low priority for security, create a perfect storm for infection. With so many Internet-facing web sites vulnerable, and so many applications that contain bugs, it makes it easy for attackers to take advantage of unsuspecting web browsers. When users visit a trusted site, they feel safe downloading documents, or simply opening documents, music or video which exploit client-side vulnerabilities.
"Some exploits do not even require the user to open documents," the report states. "Simply accessing an infected web site is all that is needed to compromise the client software. The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation."
The report's other conclusions include data that finds operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms. Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period, the report said. However, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90 percent of attacks seen against the Windows operating system.
The research also finds rising numbers of zero-day vulnerabilities.
"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."