Influential survey says security 'set back by 6 years'

By Bill Brenner, News Writer 22 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Updated Tuesday, Nov. 22, to include comments made during a press conference at 11 a.m. ET.

Attackers don't go after operating systems like they used to. They've found bigger fish to fry in flawed applications like the average AV, database, IM or media player program. They're also paying more attention to flaws in the routers and switches that keep the Internet afloat and are successfully stealing data from government networks.

That's the consensus among security experts who contributed to the SANS Institute's Top 20 vulnerability list for 2005. The Bethesda, Md.-based organization released the list Tuesday morning, and its research director said the findings show a major backslide in efforts to achieve ironclad information security.

"The bottom line is that security has been set back nearly six years in the past 18 months," SANS Institute Research Director Allan Paller said in an e-mail exchange. "Six years ago attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching. Here we go again."

During a press conference Tuesday morning, Paller added, "These applications, other than AV, don't have automated patching. We're back to the stone age. Getting patches and figuring out how to install them -- those days are back in spades."

SANS Top 20 at a glance Top vulnerabilities in Windows systems  Windows services Internet Explorer Windows libraries Windows Office and Outlook Express File sharing applications Windows configuration weaknesses  Top vulnerabilities in cross-platform applications Backup software Antivirus software PHP-based applications Database software DNS software Media players Instant Messaging applications Web browsers Other cross-platform applications   Top vulnerabilities in UNIX systems UNIX configuration weaknesses Mac OS X  Top vulnerabilities in networking products Cisco IOS-based products Cisco non-IOS products Cisco Devices configuration weaknesses More details at www.sans.org. See last year's SANS Top 20 list.

In recent years, the institute said a majority of attacks targeted operating systems like UNIX and Windows and Internet services like Web servers and mail systems. But this year a new wave of attacks were against vulnerable application programs. "The most noticeable set of applications targeted by attackers are the backup and recovery tools as well as antivirus and other security tools that most organizations think are keeping them safe from attacks and from loss of data," the institute said.

Rohit Dhamankar, lead security architect for the TippingPoint division of Marlborough, Mass.-based 3Com, noted in a statement, "We are seeing a trend to exploit not only Windows, but other vendor programs installed on large numbers of systems. These include backup software, antivirus software, database software and even media players. Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network."

During the Tuesday morning press conference, Dhamankar said the threats that worry him the most are those targeting the Web browsers and media players -- including Microsoft Media Player and Macromedia Flash.

Application-based attacks are happening with dizzying speed, Jerry Dixon, director of the The United States Computer Emergency Readiness Team (US-CERT), added in the same statement. "The US-CERT received reports of important system compromises using vulnerabilities in backup products within a few days of the public disclosure of vulnerabilities in those products," he said.

SANS said another worrying trend this year has been the fresh attention given to critical security holes in network devices like the routers and switches that keep traffic moving across the Internet. "Network devices often have on-board operating systems and can be programmed just like computers," the institute said. "Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks."

The attention given to networking flaws was perhaps best illustrated during the Black Hat Briefings in Las Vegas last July. There, researcher Michael Lynn, a former employee with Internet Security Systems, infuriated Cisco by demonstrating how to exploit a critical flaw in the networking giant's Internetwork Operating System (IOS) that could, if exploited to its potential by a malicious attacker, bring down the entire Internet.

When the digital underground launches targeted assaults, information in sensitive government systems are often the prize attackers have their eyes on, the institute said. As an example, the institute mentioned an advisory Britain's National Infrastructure Security Co-Ordination Centre issued June 16 describing "a series of targeted attacks against the UK central government and commercial organizations for the purpose of gathering and transmitting otherwise privileged information."

Networks maintained by the U.S. government and military have been the target of what security experts called "equally devastating" attacks. Specifically, the institute said attacks are being carried out against government and military-contractor sites "using vulnerabilities like those reported in SANS Top 20."

Indeed, the media was ablaze with reports this summer of an attack against government systems dubbed Titan Rain. In this attack, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn't taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together.

TippingPoint's Dhamankar, also a project manager for the SANS Top 20, said vulnerabilities on this year's list are defined by four criteria:

• (1) They affect a large number of users;
• (2) They have not been patched on a substantial number of systems;
• (3) They allow computers to be controlled by a remote, unauthorized user; and
• (4) Sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them.

Paller did note during the press conference that there's a silver lining to be had among the couds:

After deciding that it couldn't rely on flawed Microsoft software, the U.S. Air Force "decided to put $5 million on the table and asked Microsoft to make a safer version of Windows," he said. "Microsoft said yes, and now the Air Force is using a special version. We think this action is... what will one day turn the tide -- the government leading by example and putting out money. This someday will allow people to have access to safer software."

Tags: Database Security Management,  Web Application Security,  Network Device Management,  Alternative OS security: Mac, Linux, Unix, etc.,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Network Device Management Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300 Security services: Fiberlink's MaaS360 Mobility Platform

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary