Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2009
10:23 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Report: 60% Of All Attacks Hit Web Applications, Most In The U.S.

New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors

Enterprises worldwide are focusing their efforts on the wrong threats, leaving their organizations wide open to Web and client-side attacks, according to a new report released today by the SANS Institute.

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system (OS) -- but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organizations running TippingPoint IPS systems, and vulnerability data from 9 million systems compiled by Qualys between March and August 2009. Forensic experts Ed Skoudis and Rob Lee provided input on incident response trends.

"Enterprises focus on attacks they can detect...[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

More than 80 percent of vulnerabilities are in Web applications -- mostly SQL injection and cross-site scripting (XSS). And enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. "Similarly, with Web attacks more than half are aimed at SQL injection and XSS [according to the report's findings], but organizations focus their attention on scanning the OS and don't do application penetration-testing [on their Web apps]," says Alan Paller, director of research for the SANS Institute.

Paller says the hope is the report will help organizations reprioritize their patching and scanning efforts. "They can then move money from OS patching to application patching, and from Website system scanning to Web application scanning and penetration testing, and spend more on secure coding to make sure the Website isn't infecting trusting visitors," he says.

Zero-day attacks are on the rise in third-party applications, according to the report. "The last six months have seen multiple zero-day vulnerabilities in programs such as Adobe PDF, Adobe Flash, and Microsoft Office. These programs continue to be the playground for hackers to find new zero-days," says Rohit Dhamankar, the top scientist at TippingPoint. "The file formats are complex and support a large number of features -- providing much more opportunities to find vulnerabilities in the code. Combine this with the fact that these are very popular, widely used programs, and they essentially offer a green-field of opportunity for hackers."

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system," he says, adding that the key is inventorying third-party Web applications, which the report shows are a major attack vector.

Even so, says Wolfgang Kandek, CTO at Qualys, today's patch management tools can be configured to handle these third-party applications, as well. "There is no technical reason not to patch," he says. "Organizations that focus mainly on OS vulnerabilities are exposing themselves to increased risk through vulnerable applications. Attackers have noticed this opportunity and are exploiting it."

Qualys' Kandek says he was surprised that enterprises are patching their Office applications so slowly. "The patching cycle for Microsoft Office is surprisingly slow given that these patches are included in Patch Tuesday and receive a lot of attention already, compared to Adobe and other vendors that started only recently to formalize their security advisory programs," Kandek says.

Meanwhile, Web servers are being attacked mainly via brute-force password guessing and Web application vulnerabilities, the report says. Attackers are targeting Microsoft SQL, FTP, and SSH servers for the password-cracking attacks mainly because these provide easy access once a username and password is found.

SANS' Ullrich says the "pass-the-hash" attacks for exploiting guessed passwords and using their hashes to gain administrative access to the victims' systems featured in the report was an interesting find. "We don't see these because they aren't publicly reported much," he says.

More than 90 percent of attacks on Microsoft OSes in the past six months used a buffer overflow vulnerability, MS098-067, and Conficker worm variants were the main attacks, according to the report. And more than 70 percent of attacks on Apple systems came via the QuickTime image download flaw (CVE-2009-0007).

U.S. Web servers were used in nearly 35 million server-side HTTP attacks during the six-month period, followed by Thailand, which was at around 1 million such attacks. U.S. Web servers suffered about 25 million such attacks, dwarfing other victim countries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...