SANS Report Lists Top Cyber-Security Risks
A report by The SANS Institute titled "The Top Cyber
Security Risks" identifies two major areas susceptible to attack, with the top
priority being client-side software that remains unpatched, and the second
priority being Internet-facing Websites that are vulnerable. The report
features attack data from TippingPoint intrusion prevention systems protecting
6,000 organizations, vulnerability data from 9 million systems compiled by
Qualys, and additional analysis by the Internet Storm Center and SANS faculty
The report found waves of targeted email attacks (spear
phishing) are exploiting client-side vulnerabilities in commonly used programs
such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office and
currently serves as the primary initial infection vector used to compromise
computers that have Internet access. "Because the visitors feel safe
downloading documents from the trusted sites, they are easily fooled into
opening documents and music and video that exploit client-side
vulnerabilities," the report states. "Some exploits do not even require the
user to open documents. Simply accessing an infected website is all that is
needed to compromise the client software."
The second priority, Internet-facing sites, have
vulnerabilities that allow hackers to convert trusted web sites into malicious
websites serving content that contains client-side exploits. "Web application
vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source
as well as custom-built applications account for more than 80 percent of the
vulnerabilities being discovered," the report states. "Despite the enormous
number of attacks and despite widespread publicity about these vulnerabilities,
most web site owners fail to scan effectively for the common flaws and become
unwitting tools used by criminals to infect the visitors that trusted those
sites to provide a safe web experience."
The report summarizes vulnerability and attack trends,
focusing on those threats that have the greatest potential to negatively impact
networks and businesses, as well as identifying key elements that enable these
threats and associates these key elements with security controls that can
mitigate those risks. The report also includes a pictorial description/tutorial
on how some of the most damaging current attacks actually work. Information on
key attacks is also broken down by country and categorized by type of attack.
For example, researchers found the U.S. is "by far" the major attack target for
the Server-Side HTTP attack category.
Vulnerabilities concerning Microsoft Office, Adobe Reader and Flash, Apple Quicktime and Sun Java are also reported on in the document. The report notes securing Flash has particular challenges, as it does not have an automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers. "For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable," the report states.