SANS Report Says Organizations Focusing On the Wrong Security Threats

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

Most type of exploit is 'other'

[symbolset]

Chart(jpg) shows 92% 'other'.

Re:Most type of exploit is 'other'

[Knuckles]

Yeah, and if they were honest and serious that's were they would have said, "third-party applications can be tough. There are very good systems for patching them, like Debian's APT, but sadly most vendors of proprietary software have made practically no progress in this area in two decades".

Re:Most type of exploit is 'other'

[HangingChad]

Business Computers == WindowsXP

I guess we're one of the approximations. ;) Our office is more Ubuntu than Windows and people, astonishing to the Windows faithful, don't have any trouble getting their work done.

Almost any office could replace many, if not most, of their desktops with Ubuntu with very little difficulty. The level of effort increases to another level if you want to try replacing all of them.

Imagine having APT for a large percentage of your desktops. A couple keystrokes to run a script and they're all up to date. Sweet.

Re:Most type of exploit is 'other'

[Artifakt]

The claim that there is no good system is just the sort of claim that gets quoted out of context, and when it happens, supposedly expert technical people will be the ones making the mistakes.
      Think of it like politics. Someone writes a story specifically about the Democratic party in Ohio. Five paragraphs in, they say "There are no particularly distinguished front runners for the upcoming election.". What happens when that gets quoted by itself - is there much chance at all that someone will put (for the 2012 Ohio governor's race) after the quote? It seems far more likely that someone will claim the original author said there were no distinguished candidates for the whole democratic party this time around, or misapply it to the presidential election, or maybe someone with different biases will apply it to both major parties nationwide.
      Authors, when they are trying to be fact-focused, fair, and rational, frequently go over their manuscripts looking for likely quotes that won't look right if quoted out of context, and insert internal context (In this case it would be something such as 'there's no good system in Windows for patching them'). It's often a mistake to rely on context from outside the immediate quote to keep things clear.
      Editors, often take these modifications back out for brevity, but I've known several professional editors who had to deal with the results (i.e. a libel suit over something that wasn't libelous in full context) and have started encouraging such additional context instead.
      So you're right - the problem hasn't been solved for Microsoft products. And the parent poster is right - the article is easy to misquote, and that hurts its overall creditability.

Re:Most type of exploit is 'other'

[ShieldW0lf]

Did you forget to read the top of the figure where it says "Microsoft OS" and not "Linux"?

No, I didn't forget to read it. It wasn't there. "Microsoft OS", "Windows", these were not mentioned in the article nor in the report. Things that were mentioned were things like Flash, Acrobat Reader and Microsoft Office. I get my updates to Flash and Acrobat through apt, so I think it's pretty relevant. My office suite is also updated via apt, although it wasn't made by Microsoft.

From the "No Duh" department...

[spinkham]

Wait, let me get this straight... Attackers are going after the things that aren't getting fixed as quickly? Who would have guessed!

We are just lucky I guess

[2names]

My place of employment is lucky to have our "patch management" guy. He is absolutely fanatical about keeping up-to-date on patches for OS and apps, anti-virus updates, and anti-malware updates. I make sure that I tell upper management about him every chance I get so he continues to be properly compensated. He would be difficult to replace. In fact, I doubt I would find another person with his level of dedication, which is kind of sad.

Re:We are just lucky I guess

[localman57]

Well, kudos to you (er, him!) for keeping everyone's computers up to date!

Re:We are just lucky I guess

[Inda]

The cheque's in the post mate. Cheers.

Re:We are just lucky I guess

[2names]

No, no, nooooo. I just appreciate him for his - uh - skills in the patch managem...dammit. If any of you douchers says "bromance" I'm kicking your ass. Now I'm off to the Monster Truck rally.

OpenBSD vs Linux

[chill]

I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.

Re:OpenBSD vs Linux

[ToasterMonkey]

when PHP gets popped (is there really any other culprit these days?), the OS is still untouched

So what?

Today, the PHP service that got popped was running on the... PHP server. Is the OS important when someone snarfs up your web app and all data it had access to?
Are you keeping unnecessary sensitive data on your PHP server? I hope not, but sure.. MAYBE it would be protected if your OS was secure.

In your analogy, it's like the tent poles of the "windows" tent are made of cardboard tubes... they might hold up due to the imbalance of newly torn cloth, or they might not.

You're completely missing the point. If someone tears through your tent, its game over, circus down. Nobody gives a damn about tearing your poles down, they have better ones at home.

Re:OpenBSD vs Linux

[javaman235]

That's a really great post. It reminds me that any OS which grants their users freedom for their apps to do what they like also grants the freedom for some app running on them to do bad things, whether it effects the OS or not. It will always be like that.

The only solutions I can think of are to 1) create programming languages that result in really secure code through lots of input restrains etc. 2) create a lot of transparency to see what's going on. And even those don't do enough: A language with too much checking will be slow (Java has a much better security name in this department than C for instance) and while seeing if my machine is sending mystery emails out to my friends would be good, what kind of transparency lets me "see" a buffer overflow caused by a Flash movie writing arbitrary code???

Re:OpenBSD vs Linux

[Penguinisto]

Is the OS important when someone snarfs up your web app and all data it had access to?

Depends on how long you want to spend in doing recovery. If I have incremental copies (in addition to normal backup/DR actions) and a live copy of the DB transaction logs sitting on the local box outside of the chroot jail (and thus remain untouchable)? It is a lot easier and faster to disable the offending script (or apply the needed patch), copy over the last known good data, and be up and running - with a very short downtime.

If the OS is untrusted, you get to rebuild the entire - which means you get to reach for disk backup or VM clone (if you're lucky) or tapes (if you're not), or you're basically screwed (if you're stupid).

Corner cases naturally will change all of this, but that's the basic premise.

/P

Re:OpenBSD vs Linux

[jafiwam]

The security model of PHP in Windows is still pretty bad.

The default install of PHP can let a user put files in a web site that can compromise or infect the operating system.

Plus, a lot of third party add-ons for PHP want you to add "read/execute" to CMD.exe and put it in the PATH to the PHP services to piggy back their apps into working. Which, is well, stupid.

Maybe on Linux PHP is no harm to the OS, but on MS boxes that is not a safe assumption to make.

Re:OpenBSD vs Linux

[greenbird]

Today, the PHP service that got popped was running on the... PHP server. Is the OS important when someone snarfs up your web app and all data it had access to?

Yes, it's very important. To extend your analogy a little, with Microsoft all the goodies are sitting on open tables inside the big tent so a tear in the big tent generally allows complete access to all the goodies. With linux there are locked covered cubicles inside the tent that you can keep the goodies in. If the goodies are kept in the cubicles, as they should be, it's much harder to get at them even after you tear through the outside tent. With OpenBSD there are steel cubicles for the goodies.

Re:OpenBSD vs Linux

[bloodhawk]

As a hacker and I am going to walk into your PHP cubicle, snarf up all your customer data to sell for identity fraud. But don't worry you can tell all your customers your OS was safe and the hacker was not able to break out of the sandbox to get access to your other apps. I am sure they will feel so much better about that having their details sold on the black market hearing that wonderfull news.

Can only apply the patches you get

[petes_PoV]

SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat

They make it sound as if it's the fault of the client companies. In fact they probably apply all the security patches they get from their suppliers. If most of them come from the O/S vendors and relatively few come from the application vendors - you can hardly blame their cleints.

Maybe SANS should, instead, be asking why application vendors are so tardy about providing fixes for the vulnerabilities that SANS seem to think are the most exploited? Of course, the answer would be that the baddies focus their efforts on the weakest link, which is why more attacks target the (weak) applications than the better supported operating systems.

Re:Can only apply the patches you get

[compro01]

I don't think the problem is lack of application patches being provided, but the lack of them being delivered well.

The problem as I see it is there is no good method of application patch delivery on Windows (And Mac for that matter). On Linux and BSD, you have package managers built into the distro that handles everything from the repositories (either the distro repositories or the application's repositories). On Windows, there is no such thing (Yes, there package managers available, but they are not included stock and aren't widely used) and every application has to handle things itself, either by checking on startup or adding yet another background process taking up resources, both of which are decidedly non-optimal solutions.

In the former, with infrequently used apps (Stuff like Adobe Reader comes to mind), you're going to have infrequent (and thus large) updates, which would result in something like "What? A 15MB update? I don't have time for that, I need to read this PDF." with the obvious consequences or the file being opened before the update option is presented, with the same result.

The problem is in job responsibility

[suso]

As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.

Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.

Re:The problem is in job responsibility

[PlusFiveTroll]

For commonly used applications that make the CSV lists I find the Personal Software Inspector an excellent tool.

http://secunia.com/vulnerability_scanning/personal/

Amazing how many userland applications out there have some kind of exploit against them : /

Re:The problem is in job responsibility

[spinkham]

Cassandra is probably the best resource for that, you can build a profile of the software you use, and it will alert you when a vulnerability is fixed in that software.

Secunia of course offers commercial tools, but I've never used them, so not sure how useful they are.
http://secunia.com/advisories/business_solutions/

Also, vulnerability management/discovery software like NeXpose or Nessus also can find many similar problems, especially if you give them access credentials.

Re:The problem is in job responsibility

[dkf]

Plus, you eventually end up with a system where all applications have to be approved by the BOFH. Then, when a developer/techie who knows what he's doing needs to use a new tool to solve a problem it ends up in a 6-month queue for "approval".

What actually happens is that the user complains to Heap Big Boss (board-level or equivalent) and they instruct the poor BOFH to approve their pet project immediately or find another job. It's a really bad idea to be the person who says "no" to another person doing their job, especially if they have the ear of higher up (and most users will only deliberately use a new app if it is something dictated from on high; the rest of the time they'll cling to old stuff far more than a BOFH would).

Insecurity Experts

[sexconker]

Always telling you what you're doing wrong, never telling you how to do it right.

How do you serve up the content and services end-users expect without the security risks?
Simple answer: You can't.

Unless you're writing your own operating system and rolling your own PDF viewers and office suite and publishing your own flash-like plug-in that no one will ever want to install, you'll end up running around like a chicken with it's head cut off every once in a while because of fucking adobe, fucking bill, fucking Linus 20 years ago, fucking java, etc.

You can extend this to hardware too if you want.
You never really know what that network card is doing, do you?

But at the end of the day, we have to get shit done. "Safety first" in construction is a farce. Getting the job done is first. Getting the job done right and on time is second. Safety's third. Maybe.
The same goes for security in the computer world. We cover the biggest holes and keep our ears open. But our primary goal is making shit available to the end-user.

I'm going to get shit from nerds claiming that I HAVE to be 100% secure. Fuck them. I HAVE to get the job done. My being 98% secure isn't very far from their being 99.99% secure.

Patching all the usual suspects (Adobe, Java, Office, the OS) certainly falls in the "should be done regularly and diligently" category. But as stated above, I understand why it doesn't always happen, (and it's not just due to incompetence).
A report saying what people are doing wrong isn't helpful. A report saying "these fuckers are always problematic - here's a practical solution" would be much more useful.

Re:Insecurity Experts

[Bert64]

The problem is that while there are solutions, they often won't be considered for various reasons...

There are expensive patch management systems for windows, but they are often extremely expensive and typically complex to manage.

There is the option of moving to linux, where on any modern distro it's easy to keep all your applications up to date with patches, but people are either locked in to windows applications, afraid to try something new or simply have no knowledge of linux.

I would say that the benefits are a lot more than the 1.9% you mention, and if done correctly actually requires *less* work... I keep a small network of linux boxes fully up to date and spend very little time doing so, while other people managing a similar sized windows network tend to lag behind badly (especially on third party apps). I have the package manager update its package list daily, and alert me if theres any needed updates.

IE6

[godztempus]

Seriously big corporate needs to get off their asses and upgrade their internal web apps to run on IE7 or IE8 atleast.

duh?

[Lord+Ender]

Patching Windows is the main focus because it is the best bang for the buck. There are many tools to automate this process (Active Directory, Group Policy, SUS). There are no tools to automatically discover XSRF, XSS, and Injection attacks in your custom web apps, then write patches for them, then deploy and manage those patches. That's orders of magnitude more expensive.

When you have limited resources, you will just go for the lowest-hanging fruit. Obviously.

Re:Too confusing

[slinches]

This would have been so much easier to understand with a proper /. car analogy.

Here you go:

It's like locking your car doors and keeping up with the manufacturer recall notices, but ignoring that the remote start system you had installed uses an unencrypted signal.

Re:Permits and Inspectors

[Bert64]

A lot of the "professionals" are fairly incompetent, and you can bet that big vendors (especially ms) would corrupt the process to ensure that you can only be licensed if you only install their products.

I've found through the years, that enthusiasts who taught themselves, learned through experience and had a genuine interest in computing tend to be very good at what they do, whereas people who attended training courses and got certifications generally were only interested in the money they could earn from a career in computing, and are often stumped by something that wasn't covered on their course.

The latter kind of people are also extremely averse to learning anything new, and will want to remain in the bubble they were originally taught while the former will actively seek out new technologies to experiment with and learn about.

I have found that the course-taught people will typically believe what vendors tell them and never question it, if a vendor tells them a product is good/secure they will assume it is, and won't do proper research on how to harden it or what else might be a better option.
And they won't seek out anything that isn't advertised to them, this is why there is such a huge problem with unpatched third party apps as the article states, these people don't even realise there is a problem because there aren't any vendors heavily marketing a "solution" for it.

Having requirements like you specify is likely to do more harm than good.