Despite improvements in system and network security, wily cybercriminals remain a significant threat, adjusting their methods to take advantage of unwary Internet users, the SANS Institute says in its report on the top 20 Internet security risks of 2007, released Tuesday.
Hackers and cyberspies have shifted their focus and moved away from the widespread malware attacks that exploited software-based vulnerabilities in favor of more targeted assaults that rely upon unsuspecting users’ gullibility and custom-built applications, the report states.
“For most large and sensitive organizations, the newest risks are the ones causing the most trouble,” said Alan Paller, director of research at SANS. “The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties that only the largest banks and most sensitive military organizations have so far been willing to implement.”
Spyware infections, including keystroke loggers, are among the most commonly used forms of malware found on compromised systems. Since January, there has been a 183 percent increase in Web sites “harboring spyware,” said Gerhard Eschelbeck, chief technology officer of Webroot, a spyware detection firm.
Software Security
Vigilance and regular updates from operating system makers have led to more secure systems and reduced cyber criminals’ ability to launch massive Internet worms that were frequently seen between 2002 and 2005, such as Melissa, Zotob and Blaster. As a result of the renewed emphasis on security from Microsoft, for instance, there has not been a new large-scale worm attack targeting Windows systems since 2005, according to SANS.
However, even as operating systems have become increasingly secure, other types of software have been responsible for an increase in the number of “client-side vulnerabilities.” Vulnerabilities in antivirus, backup and other applications have been hit by worms. Most notable, SANS researchers said, was the worm that exploited a buffer overflow in Symantec’s antivirus software last year.
Browsers, office software, media players and other desktop applications account for a significant growth in vulnerabilities on the client side. Although Microsoft’s Windows operating systems are less vulnerable to attack, Qualys, a security firm that scans millions of systems for vulnerabilities, said it has seen a nearly 300 percent growth in vulnerabilities in Microsoft Office products.
The primary culprit is the latest version of Excel, which can easily be exploited “by getting unsuspecting users to open Excel files sent via e-mail and instant messages,” said Amol Sawarte, manager of vulnerability labs at Qualys.
“Microsoft has their macro language built into Microsoft Office, and sometimes it’s hard to actually detect [problems]. Second, with everyone worried about Windows and keeping that up to date, people don’t always worry about keeping Office up to date,” said Robert Ayoub, an analyst at Frost & Sullivan.
More than any other type of software, Web application insecurity the most “troublesome because so many developers are writing and deploying Web applications without ever demonstrating that they can write secure applications,” SANS’ Paller said. SANS ranked critical vulnerabilities in Web applications No. 1 on its top 20 list.
“Most of their Web applications provide access to back-end databases that hold sensitive information,” he continued.
However, “until colleges teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications,” Paller noted.
Security Solutions
To protect themselves from critical vulnerabilities in Web applications, consumers and enterprises can deploy a Web application firewall and security scanner.
In addition, businesses should have application source code testing tools, application penetration testing services and a formal policy that all important Web applications will be developed using a valid secure development life cycle and only by developers who have proven — through testing — that they have the skills and knowledge to write secure applications, SANS advised.
Combating people’s tendency to trust instructions and links included in e-mails — whether because they are too busy or too distracted to be skeptical — requires a twofold approach, Ayoub told TechNewsWorld.
Ayoub agrees with the SANS recommendation that businesses conduct security awareness training as well as its admonition not to give users excessive rights and allow unauthorized devices.
“There are definitely users that are going to click on e-mails they’re not supposed to. And excessive user rights is one area where a lot of enterprises are not doing 100 percent. A lot of organizations really haven’t gotten this part under control and aren’t enforcing their internal policies and aren’t doing the slap on the wrist to keep people from participating in activities that aren’t safe,” he explained.
“As an industry, we cannot rest on our laurels. There has to be continued education. There has to be continued improvements and updates,” Ayoub continued.
However, education can only do so much, said Greg Young, a Gartner analyst. “It’s less about education and more about taking action. There has been a lot of talk and not much action in organizations. Organizations just need to defend thyself.
“End users will always [open e-mails from strangers and click on links sent to them]. That’s human nature, and that is why education has limited value. You have to take action to protect against the things we know can and will happen,” he continued. “Humans are the weak link. And there are some pretty basic steps we can take to protect ourselves against ourselves and the bad guys.”
Enterprises too often have networks that do not have enough depth of defense, he asserted. The critical assets of too many networks are spread out or are openly accessible to all internal users, he pointed out.
“These are not product vulnerabilities, it is a misconfiguration,” Young told TechNewsWorld. “You have to make sure you are protected. There is an excess of things you can buy and install. The security market is flush. You have to take action yourself. This has to be a management-down driven [solution]. It is not an IT problem anymore; it is a business problem.”