Report: most security efforts misdirected

Jake Widman
Wednesday, 16 September 2009 03:01

Business IT - Security

A new report from security researchers at the SANS Institute indicates that many organizations are focusing their security efforts in the wrong place. Operating system attacks are on the decline but get addressed quicker than the more frequent application and Web-based vulnerabilities.

The Top Cyber Security Risks report is based on data from March through August 2009, collected by security software and appliances deployed by TippingPoint and Qualys that represent more than 6,000 organizations and 9,000,000 systems.

The data was analyzed by the staff of the Internet Storm Center and by faculty at the SANS Institute.

The researchers found that the leading vulnerability is from unpatched client-side software such as Adobe Acrobat Reader and Flash, QuickTime, and Microsoft Office. Nevertheless, they found, "on average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities.

"In other words," the report continues, "the highest priority risk is getting less attention than the lower priority risk."

The report includes a seven-step tutorial, with illustrations, of how a client-side exploit works.

The second most important vulnerability identified was attacks against Web applications via SQL injection and Cross-Site Scripting.

Such attacks accounted for more than 60% of the observed attempts and more than 80% of the recorded vulnerabilities.

"Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities," the report says, "most website owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience."

The research discovered no new major OS attacks, other than the Conficker/Downadup worm.