SANS: Application threats, website flaws pose biggest security threats

By Robert Westervelt, News Editor 15 Sep 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

A new report from the SANS Institute draws on recent attack data and a vendor study to conclude that IT security professionals are failing to adequately address two highly used avenues of attack: client-side application flaws and website vulnerabilities.

The report, The Top Cyber Security Risks, draws on attack data from TippingPoint's intrusion prevention systems and Qualys Inc.'s vulnerability data to lay out the increasing threat posed by the poor patching of client-side applications.

Spear phishing attacks, email messages designed to trick users into clicking on malicious file attachments and links are targeting unpatched flaws in popular client-side applications, including Adobe Reader and Flash software distributed by Adobe Systems Inc., Microsoft Office applications and the popular Apple Quicktime media software.

Application vulnerabilities fuel Web-based attacks: Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards. Educators see secure coding training challenges, improvements: University-level secure coding training is improving, but hurdles remain, professors say.   SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

"On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities," the report states. "In other words, the highest priority risk is getting less attention than the lower priority risk."

SANS recommends companies inventory the software used by employees, understand and deploy secure configurations and conduct an application vulnerability assessment and remediation program.

The SANS Institute also identifies the two most often talked about website vulnerabilities, SQL injection and cross-site scripting flaws as the second biggest threats not being adequately addressed by website owners. Web application vulnerability flaws in open source and custom-built applications account for more than 80% of the vulnerabilities being discovered, according to the SANS Institute. Companies can better address the issue by conducting a thorough code review.

The two avenues of attack -- client-side vulnerabilities and Web application flaws -- are often coupled together, said Alan Paller, director of research at the SANS Institute in an email message. Website vulnerabilities on trusted sites are the most valuable targets for attackers and often result in drive-by attacks injecting malware on site visitors who fail to patch their applications.

"The bottom line: Two cyber risks dwarf all others and users are not effectively mitigating them -- preferring to invest in mitigating less critical risks," Paller said.

The report was designed to call out the need for more vulnerability researchers. It cites the growing number of zero-day vulnerabilities posing a major threat to businesses. More vulnerabilities are being discovered by hackers using widely available and free fuzzing tools. The increase has caused some zero-day flaws to go unpatched for as long as two years.

SearchSecurity radio:

"There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit," the report states. "Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch."

To address the risks posed by zero-day flaws, companies should have adequate antimalware, antivirus, antispyware and host-based intrusion prevention system functionality in place. Antimalware software and signature auto update features are the best method to mitigate the threat, SANS said in its report.

"The file format vulnerabilities continue to be the first choice for attackers to conduct zero-day and targeted attacks," the report states. "The vulnerabilities are often found in third-party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application and Web 2.0 Threats,  Web Application Security,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary