Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2009
10:23 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

SANS Report: 60% Of All Attacks Hit Web Applications, Most In The U.S.

New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors

Enterprises worldwide are focusing their efforts on the wrong threats, leaving their organizations wide open to Web and client-side attacks, according to a new report released today by the SANS Institute.

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system (OS) -- but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organizations running TippingPoint IPS systems, and vulnerability data from 9 million systems compiled by Qualys between March and August 2009. Forensic experts Ed Skoudis and Rob Lee provided input on incident response trends.

"Enterprises focus on attacks they can detect...[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

More than 80 percent of vulnerabilities are in Web applications -- mostly SQL injection and cross-site scripting (XSS). And enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. "Similarly, with Web attacks more than half are aimed at SQL injection and XSS [according to the report's findings], but organizations focus their attention on scanning the OS and don't do application penetration-testing [on their Web apps]," says Alan Paller, director of research for the SANS Institute.

Paller says the hope is the report will help organizations reprioritize their patching and scanning efforts. "They can then move money from OS patching to application patching, and from Website system scanning to Web application scanning and penetration testing, and spend more on secure coding to make sure the Website isn't infecting trusting visitors," he says.

Zero-day attacks are on the rise in third-party applications, according to the report. "The last six months have seen multiple zero-day vulnerabilities in programs such as Adobe PDF, Adobe Flash, and Microsoft Office. These programs continue to be the playground for hackers to find new zero-days," says Rohit Dhamankar, the top scientist at TippingPoint. "The file formats are complex and support a large number of features -- providing much more opportunities to find vulnerabilities in the code. Combine this with the fact that these are very popular, widely used programs, and they essentially offer a green-field of opportunity for hackers."

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system," he says, adding that the key is inventorying third-party Web applications, which the report shows are a major attack vector.

Even so, says Wolfgang Kandek, CTO at Qualys, today's patch management tools can be configured to handle these third-party applications, as well. "There is no technical reason not to patch," he says. "Organizations that focus mainly on OS vulnerabilities are exposing themselves to increased risk through vulnerable applications. Attackers have noticed this opportunity and are exploiting it."

Qualys' Kandek says he was surprised that enterprises are patching their Office applications so slowly. "The patching cycle for Microsoft Office is surprisingly slow given that these patches are included in Patch Tuesday and receive a lot of attention already, compared to Adobe and other vendors that started only recently to formalize their security advisory programs," Kandek says.

Meanwhile, Web servers are being attacked mainly via brute-force password guessing and Web application vulnerabilities, the report says. Attackers are targeting Microsoft SQL, FTP, and SSH servers for the password-cracking attacks mainly because these provide easy access once a username and password is found.

SANS' Ullrich says the "pass-the-hash" attacks for exploiting guessed passwords and using their hashes to gain administrative access to the victims' systems featured in the report was an interesting find. "We don't see these because they aren't publicly reported much," he says.

More than 90 percent of attacks on Microsoft OSes in the past six months used a buffer overflow vulnerability, MS098-067, and Conficker worm variants were the main attacks, according to the report. And more than 70 percent of attacks on Apple systems came via the QuickTime image download flaw (CVE-2009-0007).

U.S. Web servers were used in nearly 35 million server-side HTTP attacks during the six-month period, followed by Thailand, which was at around 1 million such attacks. U.S. Web servers suffered about 25 million such attacks, dwarfing other victim countries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...