Enterprises worldwide are focusing their efforts on the wrong threats, leaving their organizations wide open to Web and client-side attacks, according to a new report released today by the SANS Institute.

Most organizations are focusing their patching efforts and vulnerability scanning on the operating system (OS) -- but 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. Meanwhile, enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organizations running TippingPoint IPS systems, and vulnerability data from 9 million systems compiled by Qualys between March and August 2009. Forensic experts Ed Skoudis and Rob Lee provided input on incident response trends.

"Enterprises focus on attacks they can detect...[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

More than 80 percent of vulnerabilities are in Web applications -- mostly SQL injection and cross-site scripting (XSS). And enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. "Similarly, with Web attacks more than half are aimed at SQL injection and XSS [according to the report's findings], but organizations focus their attention on scanning the OS and don't do application penetration-testing [on their Web apps]," says Alan Paller, director of research for the SANS Institute.

Paller says the hope is the report will help organizations reprioritize their patching and scanning efforts. "They can then move money from OS patching to application patching, and from Website system scanning to Web application scanning and penetration testing, and spend more on secure coding to make sure the Website isn't infecting trusting visitors," he says.

Zero-day attacks are on the rise in third-party applications, according to the report. "The last six months have seen multiple zero-day vulnerabilities in programs such as Adobe PDF, Adobe Flash, and Microsoft Office. These programs continue to be the playground for hackers to find new zero-days," says Rohit Dhamankar, the top scientist at TippingPoint. "The file formats are complex and support a large number of features -- providing much more opportunities to find vulnerabilities in the code. Combine this with the fact that these are very popular, widely used programs, and they essentially offer a green-field of opportunity for hackers."

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system," he says, adding that the key is inventorying third-party Web applications, which the report shows are a major attack vector.

Even so, says Wolfgang Kandek, CTO at Qualys, today's patch management tools can be configured to handle these third-party applications, as well. "There is no technical reason not to patch," he says. "Organizations that focus mainly on OS vulnerabilities are exposing themselves to increased risk through vulnerable applications. Attackers have noticed this opportunity and are exploiting it."

Qualys' Kandek says he was surprised that enterprises are patching their Office applications so slowly. "The patching cycle for Microsoft Office is surprisingly slow given that these patches are included in Patch Tuesday and receive a lot of attention already, compared to Adobe and other vendors that started only recently to formalize their security advisory programs," Kandek says.

Meanwhile, Web servers are being attacked mainly via brute-force password guessing and Web application vulnerabilities, the report says. Attackers are targeting Microsoft SQL, FTP, and SSH servers for the password-cracking attacks mainly because these provide easy access once a username and password is found.

SANS' Ullrich says the "pass-the-hash" attacks for exploiting guessed passwords and using their hashes to gain administrative access to the victims' systems featured in the report was an interesting find. "We don't see these because they aren't publicly reported much," he says.

More than 90 percent of attacks on Microsoft OSes in the past six months used a buffer overflow vulnerability, MS098-067, and Conficker worm variants were the main attacks, according to the report. And more than 70 percent of attacks on Apple systems came via the QuickTime image download flaw (CVE-2009-0007).

U.S. Web servers were used in nearly 35 million server-side HTTP attacks during the six-month period, followed by Thailand, which was at around 1 million such attacks. U.S. Web servers suffered about 25 million such attacks, dwarfing other victim countries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.