Slashdot Mirror
SANS Report Says Organizations Focusing On the Wrong Security Threats
yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."
His penis is so tiny that his wife has to jack him off with a pair of tweezers. When he cums it can't even fill a thimble.
first
Chart(jpg) shows 92% 'other'.
Help stamp out iliturcy.
Wait, let me get this straight... Attackers are going after the things that aren't getting fixed as quickly? Who would have guessed!
Blessed are the pessimists, for they have made backups.
My place of employment is lucky to have our "patch management" guy. He is absolutely fanatical about keeping up-to-date on patches for OS and apps, anti-virus updates, and anti-malware updates. I make sure that I tell upper management about him every chance I get so he continues to be properly compensated. He would be difficult to replace. In fact, I doubt I would find another person with his level of dedication, which is kind of sad.
"I'm just here to regulate funkiness."
I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.
Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.
Learning HOW to think is more important than learning WHAT to think.
http://www.sans.org/top-cyber-security-risks/
Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.
INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.
CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat
HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.
FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.
MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most
SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat
They make it sound as if it's the fault of the client companies. In fact they probably apply all the security patches they get from their suppliers. If most of them come from the O/S vendors and relatively few come from the application vendors - you can hardly blame their cleints.
Maybe SANS should, instead, be asking why application vendors are so tardy about providing fixes for the vulnerabilities that SANS seem to think are the most exploited? Of course, the answer would be that the baddies focus their efforts on the weakest link, which is why more attacks target the (weak) applications than the better supported operating systems.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Imagine a giant penis flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant penis. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant penis rears back and stabs your eye again, and again, and again. Eventually, this giant penis is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant penis slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant penis finally lodges itself in your anus, where it rests uncomfortably for 4, maybe 5 hours. That's what using Slashdot is like.
As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.
Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.
Usually the "lowly" task of patching is sloughed off onto the sysadmins, while the developers in their hubris think there's nothing wrong with anything they wrote. OS/app patches are easily obtained and applied because many people use them. In house apps take a lot more resources to analyze and patch, and add the previously-mentioned hubris and you have a situation where resources will never be spent patching the in-house apps, because it's not their problem anyway.
I submit David Hasselhoff is the AntiChrist
And I have the proof
How can one explain the phenomenal global success of one of this country's least talented individuals? There are only three ways.
* Mr. Hasselhoff actually is talented, but this goes unnoticed in his own country.
* Mr. Hasselhoff has sold his soul to Satan in return for global success.
* David Hasselhoff is the AntiChrist.
I vote for the latter -- and perhaps, after seeing the facts involved, the rest of the world will agree.
The Facts First, the obvious. Add a little beard and a couple of horns -- David Hasselhoff looks like the Devil, doesn't he? And the letters in his name can be rearranged to spell
fad of devil's hash.
What does this mean? Well, Baywatch is David's fad. David is the devil. The Hash is what makes Knight Rider popular in Amsterdam.
(I was actually hoping to make the letters in his name spell out he is of the devil, which would be possible if his middle name was "Ethesis," which it might be. I'm sure his publicist would hide such a middle name if it were true.)
Second -- and most importantly -- David Hasselhoff and his television series were foretold in the Bible. Biblical scholars worldwide may quibble over interpretations, but they all agree on this. For a few telling examples let's skip to the end of the Bible. If any book of the Bible will tell us who the AntiChrist is, it's the Revelation of Saint John, which basically describes the AntiChrist and the Armageddon He causes. I'll just give you the verse, and the current theological interpretation of that verse.
Who is the Beast?
Rev 13:1 And I stood upon the sand of the sea, and saw a beast rise up out of the sea, having seven heads and ten horns The Beast, of course, is David Hasselhoff. The Heads are His separate television incarnations. Young and the Restless, Revenge of the Cheerleaders, Knight Rider, Terror at London Bridge, Ring of the Musketeers, Baywatch and Baywatch Nights.
The ten horns represent His musical releases: Crazy For You, David, David Hasselhoff, Do You Love Me?, Du, Everybody Sunshine, I Believe, Looking For Freedom, Night Lover and Night Rockers.
Not only does Mitch The Lifeguard literally "rise out of the sea" on Baywatch, but David's musical career has mostly occurred in Europe, a metaphoric rise to fame from across the sea.
Rev 13:3 And I saw one of his heads as it were wounded to death; and his deadly wound was healed: and all the world wondered after the beast. Of course, this is a reference to his third head: Knight of the Phoenix, the first episode of Knight Rider. In this episode, "Michael Long, a policeman, is shot and left for dead. The shot is deflected by a plate in his head, but ruins his face. He is saved and his face reconstructed. He is reluctant, but agrees to use K.I.T.T. to help the Foundation for Law and Government fight criminals who are 'beyond the reach of the law'. " Knight Rider has been shown in 82 countries.
Rev 13:5 And there was given unto him a mouth speaking great things and blasphemies; and power was given unto him to continue forty and two months. The following blasphemies are actual quotes from David Hasselhoff -- I read these while he was 42 years old.
"I'm good-looking, and I make a lot of money."
"There are many dying children out there whose last wish is to meet me."
"I'm six foot four, an all-American guy, and handsome and talented as well!"
"Before long, I'll have my own channel -- I'll be like Barney."
"(Baywatch) is responsible for a lot of world peace." which the Hoff said at the Bollywood Oscars. Don't believe me? Read the original article!
And here's a blasphemy that came from David's recent (Feb 2004) visit to the Berlin Wall museum. I couldn't have made something this great up by myself. He was upset that the museum didn't spend more tim
Most companies I have worked for will overly lock down one area of security (ex. overly tight settings on web browsing)and completely ignore all other forms of security (ex. employee ability to install unlicensed SW on local PC). I can't say I've ever seen any of them install a patch for MS Office unless I did it myself on an individual machine. I'm sure the cost of manpower hours far outweighs the risk in most CFO's minds (CIOs probably look at it differently but don't get the final say). I've also noticed it has a lot to do with the CIO's particular bent. Some feel a good "offense" is best while others are always taking the "defensive" posture.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Always telling you what you're doing wrong, never telling you how to do it right.
How do you serve up the content and services end-users expect without the security risks?
Simple answer: You can't.
Unless you're writing your own operating system and rolling your own PDF viewers and office suite and publishing your own flash-like plug-in that no one will ever want to install, you'll end up running around like a chicken with it's head cut off every once in a while because of fucking adobe, fucking bill, fucking Linus 20 years ago, fucking java, etc.
You can extend this to hardware too if you want.
You never really know what that network card is doing, do you?
But at the end of the day, we have to get shit done. "Safety first" in construction is a farce. Getting the job done is first. Getting the job done right and on time is second. Safety's third. Maybe.
The same goes for security in the computer world. We cover the biggest holes and keep our ears open. But our primary goal is making shit available to the end-user.
I'm going to get shit from nerds claiming that I HAVE to be 100% secure. Fuck them. I HAVE to get the job done. My being 98% secure isn't very far from their being 99.99% secure.
Patching all the usual suspects (Adobe, Java, Office, the OS) certainly falls in the "should be done regularly and diligently" category. But as stated above, I understand why it doesn't always happen, (and it's not just due to incompetence).
A report saying what people are doing wrong isn't helpful. A report saying "these fuckers are always problematic - here's a practical solution" would be much more useful.
Seriously big corporate needs to get off their asses and upgrade their internal web apps to run on IE7 or IE8 atleast.
I feel like OS patching is less due to company policy than the presence of Windows Update. I imagine that a third-party app like Firefox is dramatically less likely to be vulnerable (ignoring plug-ins) than something like Office, simply because Mozilla makes it so easy to stay up-to-date. The solution isn't user-education; it's releasing patches more frequently, and making the patch process more transparent.
If a medium is presented that interacts with something it must be patched! The more prevalent the medium, the higher the level of patching required.
Whether that medium is email, your browser, the OS, office or the like should not matter. It doesn't matter if a new killer app comes out, if it interacts with your computers, you need to patch it for security issues on a routine basis.
Really, the OS, vendor, and the rest don't matter, what matters is that routine patching is done. At first people were surprised that they could get malware from disks, than files, than emaal, infected Internet sites and so on. Is it really a surprise to anyone that you applications like Acrobat and Flash are routinely targeted? Every time the media presents this as the 'next big thing', really how did this not story get approved?
Don't build computer system shanty towns. Require that systems be built by licensed and bonded professionals; that the work is inspected and certified; and that new systems and major changes get permits before starting. Worked for residential construction in the U.S. and we still have a relatively high home ownership rate.
This would have been so much easier to understand with a proper /. car analogy.
Proudly supporting the Libertarian Party.
Uhhh, I don't really get it. Can you put that in the form of a car analogy?
Sewage Treatment Facilities - "Our duty is clear."
Patching Windows is the main focus because it is the best bang for the buck. There are many tools to automate this process (Active Directory, Group Policy, SUS). There are no tools to automatically discover XSRF, XSS, and Injection attacks in your custom web apps, then write patches for them, then deploy and manage those patches. That's orders of magnitude more expensive.
When you have limited resources, you will just go for the lowest-hanging fruit. Obviously.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
People are the ultimate vulnerability. And that goes from applying the same solution for all problems (that desktop environment looks nice for personal trusted use, lets use it to let it run for hundreds of untrusted ones), to opening attachments, to confusing authority with knowledge (i am the boss and want full access to internet and all the corporate servers) to admins and thousands of etcs.
The security suite to solve it is education and common sense. One takes too long to get, while the other could take forever for some. How to raise a culture on security to "normal" people?
It's not funny. Corporate apps running ONLY on IE6 because they were developed by a bunch of barely-literate indians who only tested on IE6 are the reason "web side attacks" are a threat. Eliminating the use of IE6 would massively reduce the attack surface of an organization EVEN IF the org continued to use IE for some insane reason.
they want you to resulted in the I see the same MarketinPg surveys Discuusions on DON'T BE AFRAID partner. And if sling, return it to polite to bring
You're still missing the point totally.
Good luck telling your customers that "Who cares about your identity theft problem? Who cares that someone stole stuff from your account? It's not a big problem since we don't have to rebuild the O/S, so we don't have to wait hours to get it back up."
Uh huh.
The loss of the O/S hardly matters. The DATA does.
1) There are ZILLIONS of copies of the O/S out there, and many of them are the latest and greatest versions. There aren't zillions of copies of your data, and the few copies there may not be the latest and greatest.
2) Your data backups could be full of already corrupted data and you don't know when the corruption started because the webapp is full of holes.
3) Restoring from backups does NOTHING when the problem is secret/confidential/sensitive information has been leaked.
The rebuild time for an O/S is not a problem, so many ways of dealing with it if necessary.
While installing office 2007 this morning, I too exacerbated... but I don't feel guilty or self-conscious about it. :D
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
The article presented interesting data but failed to understand how we got where we are. Formerly, the overwhelming majority of attacks were OS attacks. If both OS and application vulnerabilities are present, attackers are more likely to be able to find a vulnerable OS than a vulnerable application; there are a lot fewer OS choices than application choices. Over the years, sysadmins and major vendors realized this and made a huge effort to improve OS patch processes, with a fairly high degree of success. Attackers have responded by moving on to applications; particular apps are harder to find, but if the OSs are hardened, then app it is. But attackers are still probing OSs and trying attacks on them, too. If we improve application patching at the expense of OS patching, as recommended in this article, then we actually make attackers' jobs easier. So we can only improve application patching if it does not interfere with OS patching. If funds to do that are available, great. If not, the status quo may be best.
And for completness:
There is :
So, in short, a great deal of software in addition to what came on you CD can already get updated today.
Not only that, but to make the whole experience more user friendly, some like openSUSE have developed method where a single link on a web page can be processed by the package manager and, once given the necessary privilege, with 1 webpage clic, you get automatically the correct repository added and the necessary packages selected.
Meanwhile, with microsoft you get 1 central system (windows updates) which is used for the OS and maybe for a couple of other microsoft products (MS-Office, Visual Studio) as long as the user selects the appropriate service (microsoft updates). Then you have a couple of other software which implements their own incompatible updates tracking (Firefox) of which some are really cumbersome (Acrobat). Virtually everything else is left to rot.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Can this company be trusted? This tool finds the most commonly used programs and versions to prioritize for hackers..
I hope that you are trying to be funny.
Laugh all you like, but a lot of applications for corporate intranets do specifically, and in some cases only, cater to IE: After all, it's what is on every machine in the office, right? And, it integrates with the Windows OS which most desktops have, right?
The downside here is that you now have to cater for the problems using IE as a core browser has. For comparison: Yes, still on IE6 for many places. The hassle of an IE browser upgrade on 20,000+ desktops will be on the nasty side.
Let's compare this to 5K of firefox upgrades, v2 to v3, recently undertaken. 1% of users had either a standard question to the helpdesk or a problem to be resolved. Less than 1% of that 1% had a Serious issue that could not be solved remotely. (quoting the PIR here)
Now. The last IE 'upgrade' (this word is in QUOTES as using this word to describe the changes from V5 to V6 for IE may not be considered an 'upward' movement by some) caused 20% of the user base to reference the FAQ and 5% to lodge a helpdesk call for assistance.
We're not even going to discuss the $##$%#@ developers. In case you're interested though.. it goes like this 'Firefox upgrade? Sure. When?' .. as opposed to 'IE upgrade? Aw crap. WHEN? Will we have time to test? How long will we have to develop in parallel? What's the issues with next version? Who's bucket will this come out of?"
YMMV
Yes, the data is highest in importance, etc. However, the data does not an entire server make, and getting that data back up and spinning ASAP is even more important.
Yes, the site getting popped for any reason still sucks. However, there's still the question as to how big of a crater gets left behind, to use an abstraction.
Pull the zoom back a bit and look at the larger picture. If the data gets corrupted, most-to-almost-all of it (depending on how you built things) can be restored and recovered. If you built the server right initially, you probably won't even lose anything really valuable (e.g. customer data) to those who penetrate the thing.
However, from this pulled-back view, the question still remains - how bad did it get?
I don't know about you, but I would much prefer to clean up after a pipe bomb blast than to clean up after a thermonuclear detonation.
Quo usque tandem abutere, Nimbus, patientia nostra?