To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
A new report from the SANS Institute draws on recent attack data and a vendor study to conclude that IT security professionals are failing to adequately address two highly used avenues of attack: client-side application flaws and website vulnerabilities.
The report, The Top Cyber Security Risks, draws on attack data from TippingPoint's intrusion prevention systems and Qualys Inc.'s vulnerability data to lay out the increasing threat posed by the poor patching of client-side applications.
Spear phishing attacks, email messages designed to trick users into clicking on malicious file attachments and links are targeting unpatched flaws in popular client-side applications, including Adobe Reader and Flash software distributed by Adobe Systems Inc., Microsoft Office applications and the popular Apple Quicktime media software.
Application vulnerabilities fuel Web-based attacks:
Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.
Educators see secure coding training challenges, improvements: University-level secure coding training is improving, but hurdles remain, professors say.
"On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities," the report states. "In other words, the highest priority risk is getting less attention than the lower priority risk."
SANS recommends companies inventory the software used by employees, understand and deploy secure configurations and conduct an application vulnerability assessment and remediation program.
The SANS Institute also identifies the two most often talked about website vulnerabilities, SQL injection and cross-site scripting flaws as the second biggest threats not being adequately addressed by website owners. Web application vulnerability flaws in open source and custom-built applications account for more than 80% of the vulnerabilities being discovered, according to the SANS Institute. Companies can better address the issue by conducting a thorough code review.
The two avenues of attack -- client-side vulnerabilities and Web application flaws -- are often coupled together, said Alan Paller, director of research at the SANS Institute in an email message. Website vulnerabilities on trusted sites are the most valuable targets for attackers and often result in drive-by attacks injecting malware on site visitors who fail to patch their applications.
"The bottom line: Two cyber risks dwarf all others and users are not effectively mitigating them -- preferring to invest in mitigating less critical risks," Paller said.
The report was designed to call out the need for more vulnerability researchers. It cites the growing number of zero-day vulnerabilities posing a major threat to businesses. More vulnerabilities are being discovered by hackers using widely available and free fuzzing tools. The increase has caused some zero-day flaws to go unpatched for as long as two years.
"There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit," the report states. "Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch."
To address the risks posed by zero-day flaws, companies should have adequate antimalware, antivirus, antispyware and host-based intrusion prevention system functionality in place. Antimalware software and signature auto update features are the best method to mitigate the threat, SANS said in its report.
"The file format vulnerabilities continue to be the first choice for attackers to conduct zero-day and targeted attacks," the report states. "The vulnerabilities are often found in third-party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers."