|
By Cara Garretson
While IT departments focus heavily on patching their operating systems in order to keep up with security requirements, a recent study done by the SANS Institute found that fixing holes in applications is actually more important.
The SANS study, called the Top Cyber Security Risks, found that unpatched client software is the number-one vulnerability for IT organizations. Web application vulnerabilities and the rising number of zero-day attacks were also highlighted by the report.
Unpatched client software that malware -- typically delivered in unwanted e-mails or unknowingly downloaded from Web sites that host malicious code -- can exploit is "the primary initial infection vector used to compromise computers that have Internet access," says the report.
Most organizations take at least as long to patch client applications as they do to fix vulnerabilities in the operating systems they run, according to the study. "The highest priority risk is getting less attention than the lower priority risk," says SANS.
Popular applications such as Adobe PDF Reader and Adobe Flash, Apple QuickTime, and Microsoft Office go unpatched. Yet because users feel such programs come from trusted sources they are comfortable downloading related files, such as music, video and documents, from the Web. Instead, users often download malicious code that takes advantage of security holes in client software and are compromised, the report says.
Hackers use these compromised PCs to become part of a botnet, a network of PCs that hackers can control at any time to send out spam or spread malware without the PC owners knowing it.
Preventing attacks on Web applications is cybersecurity priority number two, according to the SANS Institute. The target of more than 60 percent of all attack attempts observed on the Internet, these applications are often the back door that hackers use to turn trusted Web sites into ones that download malware. These vulnerabilities include SQL injections and cross-site scripting flaws.
The study says most Web site owners aren't scanning effectively for vulnerabilities in their Web applications, and could be infecting site visitors.
Another top concern for IT departments is the rising number of zero-day attacks -- those that are seen for the first time and are yet to be patched -- that take advantage of vulnerabilities in software. Some of these vulnerabilities have remained unpatched for two years. The report says the shortage of vulnerability researchers in the government and among software vendors is part of the problem.
"So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks," says SANS.
The SANS report is based on data gathered between March and August from security appliances and software running in thousands of organizations, with the goal of identifying existing and emerging threats. Among those are 6,000 TippingPoint appliance installations in both private sector and government organizations, as well as Qualys systems that monitor vulnerabilities and configuration errors in 9 million PCs and servers.
The SANS Institute is a computer security training and certification organization that also researches and reports on information security.
Only registered users can write comments.
Please login or register. |
