SANS Report Lists Top Cyber-Security Risks

A report by The SANS Institute titled “The Top Cyber Security Risks” identifies two major areas susceptible to attack, with the top priority being client-side software that remains unpatched, and the second priority being Internet-facing Websites that are vulnerable. The report features attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9 million systems compiled by Qualys, and additional analysis by the Internet Storm Center and SANS faculty members.

The report found waves of targeted email attacks (spear phishing) are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office and currently serves as the primary initial infection vector used to compromise computers that have Internet access. “Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities,” the report states. “Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software.”

The second priority, Internet-facing sites, have vulnerabilities that allow hackers to convert trusted web sites into malicious websites serving content that contains client-side exploits. “Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80 percent of the vulnerabilities being discovered,” the report states. “Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

The report summarizes vulnerability and attack trends, focusing on those threats that have the greatest potential to negatively impact networks and businesses, as well as identifying key elements that enable these threats and associates these key elements with security controls that can mitigate those risks. The report also includes a pictorial description/tutorial on how some of the most damaging current attacks actually work. Information on key attacks is also broken down by country and categorized by type of attack. For example, researchers found the U.S. is “by far” the major attack target for the Server-Side HTTP attack category.

Vulnerabilities concerning Microsoft Office, Adobe Reader and Flash, Apple Quicktime and Sun Java are also reported on in the document. The report notes securing Flash has particular challenges, as it does not have an automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers. “For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable,” the report states.