The SANS Institute has released a new Cyber Security Risk Report outlining their analysis of the current threat landscape on the Internet. The report, The Top Cyber Security Risks, is available online, and is compiled using actual threat data from a variety of sources:
Featuring attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis and tutorial by the Internet Storm Center and key SANS faculty members.
As usual, the report contains a mixture of good and not-so-good news. The good news is that attacks against the basic computing platform (PC plus operating system) are being attacked less often, and the attacks are generally less successful. (There is one specific type of OS attack that is still very common, against buffer overflow vulnerabilities in versions of Microsoft Windows.) In part, this is probably due to the increased use and effectiveness of automatic notification and update systems.
A relatively minor piece of bad news is that, reflecting a trend of more professional criminality, the bad guys are getting better at discovering zero-day attacks:
World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times.
This is troublesome because there is a shortage, world-wide, of trained security analysts, a particular problem in an area where the defenders are always playing “catch up” anyway.
The real take-away message, though, concerns the major bad news. There are two broad types of attacks that are becoming both more numerous and more successful:
- APPLICATION LEVEL ATTACKS These exploit unpatched vulnerabilities in application software on Internet-connected computers. The attacks target software that, while not strictly speaking part of the platform, are widely installed on users’ machines, including software like Microsoft Office, Adobe’s PDF Reader or Flash player, Apple’s QuickTime, and so on. The attacks are often specifically targeted at a particular organization or even a particular user (so-called “spear phishing”), in order to steal identification credentials, perpetrate frauds, or commit identity theft. Many of these can be transmitted via “drive-by downloads”, where the user need only visit a compromised or malicious Web site to be infected.
- WEB SITE ATTACKS In conjunction with the application level attacks, there is an enormous number of attacks against Web sites, particularly Web application sites. By compromising an otherwise trusted server, the attacker gains a potent distribution mechanism for malware. Despite the fact that many of these attacks use well-known attack vectors, such as Cross-Site Scripting and SQL Injection, too many site owners are careless about security.
The top country both for attack sources and targets continues to be the United States. (Thank goodness! At least we’re still good at something.) All kidding aside, the report’s recommendations are:
- More focus is needed by vendors and users on addressing application vulnerabilities in a timely way. At present, application patching takes about twice as long, on average, as OS patching. In other words, the most important risk takes longest to patch
- Web site owners and administrators need to exercise greater diligence in checking their software for known vulnerabilities, and in patching them promptly.
All in all, the report is practically focused, based on real incident data, and very much worth reading. It also has some tutorial sections that explain in more detail how some of the attacks work.
This SANS/TippingPoint/Qualys study is noble effort, possibly very good data, but a very disappointing report.
My critique: “Making Sense of the SANS Top Cyber Security Risks Report”
Let’s learn from this and do better next time.