Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS Report Says Organizations Focusing On the Wrong Security Threats

Posted by timothy on from the here's-mud-in-yer-eye dept.

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

6 of 98 comments (clear)

  1. From the "No Duh" department... by spinkham · · Score: 4, Funny

    Wait, let me get this straight... Attackers are going after the things that aren't getting fixed as quickly? Who would have guessed!

    --
    Blessed are the pessimists, for they have made backups.
  2. OpenBSD vs Linux by chill · · Score: 5, Insightful

    I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

    Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. The problem is in job responsibility by suso · · Score: 4, Insightful

    As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.

    Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.

    1. Re:The problem is in job responsibility by PlusFiveTroll · · Score: 5, Informative

      For commonly used applications that make the CSV lists I find the Personal Software Inspector an excellent tool.

      http://secunia.com/vulnerability_scanning/personal/

      Amazing how many userland applications out there have some kind of exploit against them : /

  4. IE6 by godztempus · · Score: 4, Funny

    Seriously big corporate needs to get off their asses and upgrade their internal web apps to run on IE7 or IE8 atleast.

  5. Re:We are just lucky I guess by 2names · · Score: 4, Funny

    No, no, nooooo. I just appreciate him for his - uh - skills in the patch managem...dammit. If any of you douchers says "bromance" I'm kicking your ass. Now I'm off to the Monster Truck rally.

    --
    "I'm just here to regulate funkiness."