Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2009
10:23 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Report: 60% Of All Attacks Hit Web Applications, Most In The U.S.

New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors

Enterprises worldwide are focusing their efforts on the wrong threats, leaving their organizations wide open to Web and client-side attacks, according to a new report released today by the SANS Institute.

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system (OS) -- but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organizations running TippingPoint IPS systems, and vulnerability data from 9 million systems compiled by Qualys between March and August 2009. Forensic experts Ed Skoudis and Rob Lee provided input on incident response trends.

"Enterprises focus on attacks they can detect...[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

More than 80 percent of vulnerabilities are in Web applications -- mostly SQL injection and cross-site scripting (XSS). And enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. "Similarly, with Web attacks more than half are aimed at SQL injection and XSS [according to the report's findings], but organizations focus their attention on scanning the OS and don't do application penetration-testing [on their Web apps]," says Alan Paller, director of research for the SANS Institute.

Paller says the hope is the report will help organizations reprioritize their patching and scanning efforts. "They can then move money from OS patching to application patching, and from Website system scanning to Web application scanning and penetration testing, and spend more on secure coding to make sure the Website isn't infecting trusting visitors," he says.

Zero-day attacks are on the rise in third-party applications, according to the report. "The last six months have seen multiple zero-day vulnerabilities in programs such as Adobe PDF, Adobe Flash, and Microsoft Office. These programs continue to be the playground for hackers to find new zero-days," says Rohit Dhamankar, the top scientist at TippingPoint. "The file formats are complex and support a large number of features -- providing much more opportunities to find vulnerabilities in the code. Combine this with the fact that these are very popular, widely used programs, and they essentially offer a green-field of opportunity for hackers."

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system," he says, adding that the key is inventorying third-party Web applications, which the report shows are a major attack vector.

Even so, says Wolfgang Kandek, CTO at Qualys, today's patch management tools can be configured to handle these third-party applications, as well. "There is no technical reason not to patch," he says. "Organizations that focus mainly on OS vulnerabilities are exposing themselves to increased risk through vulnerable applications. Attackers have noticed this opportunity and are exploiting it."

Qualys' Kandek says he was surprised that enterprises are patching their Office applications so slowly. "The patching cycle for Microsoft Office is surprisingly slow given that these patches are included in Patch Tuesday and receive a lot of attention already, compared to Adobe and other vendors that started only recently to formalize their security advisory programs," Kandek says.

Meanwhile, Web servers are being attacked mainly via brute-force password guessing and Web application vulnerabilities, the report says. Attackers are targeting Microsoft SQL, FTP, and SSH servers for the password-cracking attacks mainly because these provide easy access once a username and password is found.

SANS' Ullrich says the "pass-the-hash" attacks for exploiting guessed passwords and using their hashes to gain administrative access to the victims' systems featured in the report was an interesting find. "We don't see these because they aren't publicly reported much," he says.

More than 90 percent of attacks on Microsoft OSes in the past six months used a buffer overflow vulnerability, MS098-067, and Conficker worm variants were the main attacks, according to the report. And more than 70 percent of attacks on Apple systems came via the QuickTime image download flaw (CVE-2009-0007).

U.S. Web servers were used in nearly 35 million server-side HTTP attacks during the six-month period, followed by Thailand, which was at around 1 million such attacks. U.S. Web servers suffered about 25 million such attacks, dwarfing other victim countries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15239
PUBLISHED: 2019-08-20
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifi...
CVE-2019-15227
PUBLISHED: 2019-08-20
FlightPath 4.8.3 has XSS in the Content, Edit urgent message, and Users sections of the Admin Console. This could lead to cookie stealing and other malicious actions.
CVE-2019-15237
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2019-15228
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE-2019-15229
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.