SANS Report Says Organizations Focusing On the Wrong Security Threats

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

OpenBSD vs Linux

[chill]

I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.

The problem is in job responsibility

[suso]

As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.

Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.

Re:Insecurity Experts

[Bert64]

The problem is that while there are solutions, they often won't be considered for various reasons...

There are expensive patch management systems for windows, but they are often extremely expensive and typically complex to manage.

There is the option of moving to linux, where on any modern distro it's easy to keep all your applications up to date with patches, but people are either locked in to windows applications, afraid to try something new or simply have no knowledge of linux.

I would say that the benefits are a lot more than the 1.9% you mention, and if done correctly actually requires *less* work... I keep a small network of linux boxes fully up to date and spend very little time doing so, while other people managing a similar sized windows network tend to lag behind badly (especially on third party apps). I have the package manager update its package list daily, and alert me if theres any needed updates.