Slashdot Mirror
SANS Report Says Organizations Focusing On the Wrong Security Threats
yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."
Chart(jpg) shows 92% 'other'.
Help stamp out iliturcy.
Wait, let me get this straight... Attackers are going after the things that aren't getting fixed as quickly? Who would have guessed!
Blessed are the pessimists, for they have made backups.
My place of employment is lucky to have our "patch management" guy. He is absolutely fanatical about keeping up-to-date on patches for OS and apps, anti-virus updates, and anti-malware updates. I make sure that I tell upper management about him every chance I get so he continues to be properly compensated. He would be difficult to replace. In fact, I doubt I would find another person with his level of dedication, which is kind of sad.
"I'm just here to regulate funkiness."
I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.
Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.
Learning HOW to think is more important than learning WHAT to think.
http://www.sans.org/top-cyber-security-risks/
SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat
They make it sound as if it's the fault of the client companies. In fact they probably apply all the security patches they get from their suppliers. If most of them come from the O/S vendors and relatively few come from the application vendors - you can hardly blame their cleints.
Maybe SANS should, instead, be asking why application vendors are so tardy about providing fixes for the vulnerabilities that SANS seem to think are the most exploited? Of course, the answer would be that the baddies focus their efforts on the weakest link, which is why more attacks target the (weak) applications than the better supported operating systems.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.
Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.
Usually the "lowly" task of patching is sloughed off onto the sysadmins, while the developers in their hubris think there's nothing wrong with anything they wrote. OS/app patches are easily obtained and applied because many people use them. In house apps take a lot more resources to analyze and patch, and add the previously-mentioned hubris and you have a situation where resources will never be spent patching the in-house apps, because it's not their problem anyway.
Most companies I have worked for will overly lock down one area of security (ex. overly tight settings on web browsing)and completely ignore all other forms of security (ex. employee ability to install unlicensed SW on local PC). I can't say I've ever seen any of them install a patch for MS Office unless I did it myself on an individual machine. I'm sure the cost of manpower hours far outweighs the risk in most CFO's minds (CIOs probably look at it differently but don't get the final say). I've also noticed it has a lot to do with the CIO's particular bent. Some feel a good "offense" is best while others are always taking the "defensive" posture.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Always telling you what you're doing wrong, never telling you how to do it right.
How do you serve up the content and services end-users expect without the security risks?
Simple answer: You can't.
Unless you're writing your own operating system and rolling your own PDF viewers and office suite and publishing your own flash-like plug-in that no one will ever want to install, you'll end up running around like a chicken with it's head cut off every once in a while because of fucking adobe, fucking bill, fucking Linus 20 years ago, fucking java, etc.
You can extend this to hardware too if you want.
You never really know what that network card is doing, do you?
But at the end of the day, we have to get shit done. "Safety first" in construction is a farce. Getting the job done is first. Getting the job done right and on time is second. Safety's third. Maybe.
The same goes for security in the computer world. We cover the biggest holes and keep our ears open. But our primary goal is making shit available to the end-user.
I'm going to get shit from nerds claiming that I HAVE to be 100% secure. Fuck them. I HAVE to get the job done. My being 98% secure isn't very far from their being 99.99% secure.
Patching all the usual suspects (Adobe, Java, Office, the OS) certainly falls in the "should be done regularly and diligently" category. But as stated above, I understand why it doesn't always happen, (and it's not just due to incompetence).
A report saying what people are doing wrong isn't helpful. A report saying "these fuckers are always problematic - here's a practical solution" would be much more useful.
Seriously big corporate needs to get off their asses and upgrade their internal web apps to run on IE7 or IE8 atleast.
I feel like OS patching is less due to company policy than the presence of Windows Update. I imagine that a third-party app like Firefox is dramatically less likely to be vulnerable (ignoring plug-ins) than something like Office, simply because Mozilla makes it so easy to stay up-to-date. The solution isn't user-education; it's releasing patches more frequently, and making the patch process more transparent.
If a medium is presented that interacts with something it must be patched! The more prevalent the medium, the higher the level of patching required.
Whether that medium is email, your browser, the OS, office or the like should not matter. It doesn't matter if a new killer app comes out, if it interacts with your computers, you need to patch it for security issues on a routine basis.
Really, the OS, vendor, and the rest don't matter, what matters is that routine patching is done. At first people were surprised that they could get malware from disks, than files, than emaal, infected Internet sites and so on. Is it really a surprise to anyone that you applications like Acrobat and Flash are routinely targeted? Every time the media presents this as the 'next big thing', really how did this not story get approved?
Don't build computer system shanty towns. Require that systems be built by licensed and bonded professionals; that the work is inspected and certified; and that new systems and major changes get permits before starting. Worked for residential construction in the U.S. and we still have a relatively high home ownership rate.
This would have been so much easier to understand with a proper /. car analogy.
Proudly supporting the Libertarian Party.
Uhhh, I don't really get it. Can you put that in the form of a car analogy?
Sewage Treatment Facilities - "Our duty is clear."
Patching Windows is the main focus because it is the best bang for the buck. There are many tools to automate this process (Active Directory, Group Policy, SUS). There are no tools to automatically discover XSRF, XSS, and Injection attacks in your custom web apps, then write patches for them, then deploy and manage those patches. That's orders of magnitude more expensive.
When you have limited resources, you will just go for the lowest-hanging fruit. Obviously.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
People are the ultimate vulnerability. And that goes from applying the same solution for all problems (that desktop environment looks nice for personal trusted use, lets use it to let it run for hundreds of untrusted ones), to opening attachments, to confusing authority with knowledge (i am the boss and want full access to internet and all the corporate servers) to admins and thousands of etcs.
The security suite to solve it is education and common sense. One takes too long to get, while the other could take forever for some. How to raise a culture on security to "normal" people?
It's not funny. Corporate apps running ONLY on IE6 because they were developed by a bunch of barely-literate indians who only tested on IE6 are the reason "web side attacks" are a threat. Eliminating the use of IE6 would massively reduce the attack surface of an organization EVEN IF the org continued to use IE for some insane reason.
You're still missing the point totally.
Good luck telling your customers that "Who cares about your identity theft problem? Who cares that someone stole stuff from your account? It's not a big problem since we don't have to rebuild the O/S, so we don't have to wait hours to get it back up."
Uh huh.
The loss of the O/S hardly matters. The DATA does.
1) There are ZILLIONS of copies of the O/S out there, and many of them are the latest and greatest versions. There aren't zillions of copies of your data, and the few copies there may not be the latest and greatest.
2) Your data backups could be full of already corrupted data and you don't know when the corruption started because the webapp is full of holes.
3) Restoring from backups does NOTHING when the problem is secret/confidential/sensitive information has been leaked.
The rebuild time for an O/S is not a problem, so many ways of dealing with it if necessary.
While installing office 2007 this morning, I too exacerbated... but I don't feel guilty or self-conscious about it. :D
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
The article presented interesting data but failed to understand how we got where we are. Formerly, the overwhelming majority of attacks were OS attacks. If both OS and application vulnerabilities are present, attackers are more likely to be able to find a vulnerable OS than a vulnerable application; there are a lot fewer OS choices than application choices. Over the years, sysadmins and major vendors realized this and made a huge effort to improve OS patch processes, with a fairly high degree of success. Attackers have responded by moving on to applications; particular apps are harder to find, but if the OSs are hardened, then app it is. But attackers are still probing OSs and trying attacks on them, too. If we improve application patching at the expense of OS patching, as recommended in this article, then we actually make attackers' jobs easier. So we can only improve application patching if it does not interfere with OS patching. If funds to do that are available, great. If not, the status quo may be best.
And for completness:
There is :
So, in short, a great deal of software in addition to what came on you CD can already get updated today.
Not only that, but to make the whole experience more user friendly, some like openSUSE have developed method where a single link on a web page can be processed by the package manager and, once given the necessary privilege, with 1 webpage clic, you get automatically the correct repository added and the necessary packages selected.
Meanwhile, with microsoft you get 1 central system (windows updates) which is used for the OS and maybe for a couple of other microsoft products (MS-Office, Visual Studio) as long as the user selects the appropriate service (microsoft updates). Then you have a couple of other software which implements their own incompatible updates tracking (Firefox) of which some are really cumbersome (Acrobat). Virtually everything else is left to rot.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Can this company be trusted? This tool finds the most commonly used programs and versions to prioritize for hackers..
I hope that you are trying to be funny.
Laugh all you like, but a lot of applications for corporate intranets do specifically, and in some cases only, cater to IE: After all, it's what is on every machine in the office, right? And, it integrates with the Windows OS which most desktops have, right?
The downside here is that you now have to cater for the problems using IE as a core browser has. For comparison: Yes, still on IE6 for many places. The hassle of an IE browser upgrade on 20,000+ desktops will be on the nasty side.
Let's compare this to 5K of firefox upgrades, v2 to v3, recently undertaken. 1% of users had either a standard question to the helpdesk or a problem to be resolved. Less than 1% of that 1% had a Serious issue that could not be solved remotely. (quoting the PIR here)
Now. The last IE 'upgrade' (this word is in QUOTES as using this word to describe the changes from V5 to V6 for IE may not be considered an 'upward' movement by some) caused 20% of the user base to reference the FAQ and 5% to lodge a helpdesk call for assistance.
We're not even going to discuss the $##$%#@ developers. In case you're interested though.. it goes like this 'Firefox upgrade? Sure. When?' .. as opposed to 'IE upgrade? Aw crap. WHEN? Will we have time to test? How long will we have to develop in parallel? What's the issues with next version? Who's bucket will this come out of?"
YMMV
Yes, the data is highest in importance, etc. However, the data does not an entire server make, and getting that data back up and spinning ASAP is even more important.
Yes, the site getting popped for any reason still sucks. However, there's still the question as to how big of a crater gets left behind, to use an abstraction.
Pull the zoom back a bit and look at the larger picture. If the data gets corrupted, most-to-almost-all of it (depending on how you built things) can be restored and recovered. If you built the server right initially, you probably won't even lose anything really valuable (e.g. customer data) to those who penetrate the thing.
However, from this pulled-back view, the question still remains - how bad did it get?
I don't know about you, but I would much prefer to clean up after a pipe bomb blast than to clean up after a thermonuclear detonation.
Quo usque tandem abutere, Nimbus, patientia nostra?