Cyberdefenses are misdirected, report says

Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.

As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.

The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.

It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."

The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and "convert trusted Web sites into malicious Web sites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.

A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.

Additionally, the report found there has been a "significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.

"This report is different from anything we have done before," a SANS spokesman said, "because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."

The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from 9 million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.

Manek Dubash of ZDNet UK reported from London.

[fokkwp]

This article correctly interprets the SAN report. But this is weird - I've worked with a lot of network security people and never heard that phishing was associated with client-side vulnerabilities in Flash, Reader, etc. SAN has a very unusual definition of "phishing".

See "phishing" in Wikipedia - "Phishing is typically carried out by e-mail or instant messaging".

I would go so far as to say SAN has it just plain wrong.

[krypter]

They're using it in the sense of "using email to trick people into opening Flash/PDF attachments that appear legitimate but are fraudulent malware". PDFs and Flash can contain links that redirect or perform XSS attacks.

[n3td3v]

Anything by SANS should be taken with a pinch of salt, they need to release these reports every year, they think up anything to compile the report to try and come across as new and groundbreaking but in truth its a lot of FUD.

SANS are also known to collude with the CIA, especially at the critical infrastructure conference in 2008 where a CIA person reported FUD about hackers shutting down national grids if a ransom wasn't paid.

The cyber security industry aren't misdirected, but those trying to misdirect us, such as SANS are getting in the way.

http://www.securityfocus.com/brief/666