Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2009
10:23 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Report: 60% Of All Attacks Hit Web Applications, Most In The U.S.

New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors

Enterprises worldwide are focusing their efforts on the wrong threats, leaving their organizations wide open to Web and client-side attacks, according to a new report released today by the SANS Institute.

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system (OS) -- but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organizations running TippingPoint IPS systems, and vulnerability data from 9 million systems compiled by Qualys between March and August 2009. Forensic experts Ed Skoudis and Rob Lee provided input on incident response trends.

"Enterprises focus on attacks they can detect...[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

More than 80 percent of vulnerabilities are in Web applications -- mostly SQL injection and cross-site scripting (XSS). And enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. "Similarly, with Web attacks more than half are aimed at SQL injection and XSS [according to the report's findings], but organizations focus their attention on scanning the OS and don't do application penetration-testing [on their Web apps]," says Alan Paller, director of research for the SANS Institute.

Paller says the hope is the report will help organizations reprioritize their patching and scanning efforts. "They can then move money from OS patching to application patching, and from Website system scanning to Web application scanning and penetration testing, and spend more on secure coding to make sure the Website isn't infecting trusting visitors," he says.

Zero-day attacks are on the rise in third-party applications, according to the report. "The last six months have seen multiple zero-day vulnerabilities in programs such as Adobe PDF, Adobe Flash, and Microsoft Office. These programs continue to be the playground for hackers to find new zero-days," says Rohit Dhamankar, the top scientist at TippingPoint. "The file formats are complex and support a large number of features -- providing much more opportunities to find vulnerabilities in the code. Combine this with the fact that these are very popular, widely used programs, and they essentially offer a green-field of opportunity for hackers."

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system," he says, adding that the key is inventorying third-party Web applications, which the report shows are a major attack vector.

Even so, says Wolfgang Kandek, CTO at Qualys, today's patch management tools can be configured to handle these third-party applications, as well. "There is no technical reason not to patch," he says. "Organizations that focus mainly on OS vulnerabilities are exposing themselves to increased risk through vulnerable applications. Attackers have noticed this opportunity and are exploiting it."

Qualys' Kandek says he was surprised that enterprises are patching their Office applications so slowly. "The patching cycle for Microsoft Office is surprisingly slow given that these patches are included in Patch Tuesday and receive a lot of attention already, compared to Adobe and other vendors that started only recently to formalize their security advisory programs," Kandek says.

Meanwhile, Web servers are being attacked mainly via brute-force password guessing and Web application vulnerabilities, the report says. Attackers are targeting Microsoft SQL, FTP, and SSH servers for the password-cracking attacks mainly because these provide easy access once a username and password is found.

SANS' Ullrich says the "pass-the-hash" attacks for exploiting guessed passwords and using their hashes to gain administrative access to the victims' systems featured in the report was an interesting find. "We don't see these because they aren't publicly reported much," he says.

More than 90 percent of attacks on Microsoft OSes in the past six months used a buffer overflow vulnerability, MS098-067, and Conficker worm variants were the main attacks, according to the report. And more than 70 percent of attacks on Apple systems came via the QuickTime image download flaw (CVE-2009-0007).

U.S. Web servers were used in nearly 35 million server-side HTTP attacks during the six-month period, followed by Thailand, which was at around 1 million such attacks. U.S. Web servers suffered about 25 million such attacks, dwarfing other victim countries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...