Massive Study of Net Vulnerabilities: They're Not Where You Think They Are

Posted by: Stephen Wildstrom on September 14, 2009

There are lots of opinions of where the greatest vulnerabilities in computers and networks lie—just read the comments to any security-related post on this blog for an earful. Hard data, however, has generally been lacking. A new study assembled by the SANS Institute, and based on reports from 15,000 organizations surveyed by risk assessment companies Tipping Point and Qualys, ought to cure that.

The results, while not terribly surprising to anyone who has been following the vulnerability scene for the past couple of years, do suggest that many IT professionals should re-examine and probably change their priorities. The analysts found that the biggest risk facing most systems is unpatched vulnerabilities in applications and that applications, not operating systems, have become the primary target of attack.

The problem is that even organizations that are vigilant about patching OS vulnerabilities are often lax about applications, and that flaws in applications go unpatched for much longer than OS holes. “On average,” the report concludes, “major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words, the highest priority risk is getting less attention than the lower priority risk.”

The second priority, according to the report, is a familiar one: Dealing with vulnerabilities in applications running on Web servers. The survey found that Web server-side applications are the target of more than 60% of all Internet attacks and that “Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most Web site owners fail to scan effectively for the common flaw.”

The combination of these two modes of attack is particularly deadly. Server vulnerabilities let attackers compromise Web sites and these hostile Web pages are then used to exploit application flaws that are used to compromise desktops and laptops. In most cases, the ultimate goal of the attacks is to steal valuable information , not just credit card numbers and other personal data but corporate and government information.

The applications most targeted by attackers are a mixed bag, though they certainly should move us beyond the endless arguments over the relative security of Windows, Macs, and Linux. Two companies that supply software for all three platforms were high on the target list. Adobe has had a variety of problems with holes in its Flash Player and Acrobat Reader software, while Sun Microsystems’ Java has also been open to attack. Of course, Microsoft has a long list of application vulnerabilities, while Apple has had issues with QuickTime.

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/

Reader Comments

tom h.

September 15, 2009 04:32 AM

A couple of errors to fix, Steve, before the grammar Nazis attack (not to disparage Nazis). First the "new study" URL needs fixing: you've got the SANS URL appended to the URL of this blog entry. Second, the word "seal" should be "steal" in the second sentence of the fifth paragraph.

T

September 15, 2009 08:27 AM

An article with big name, but little substance. "Patching" doesn't apply to homegrown web apps, they have to be redeployed with proper changes.

PB

September 15, 2009 12:46 PM

@T: the article doesn't say the web apps should be patched - it says the vulnerabilities should be dealt with.

Stich

September 15, 2009 11:57 PM

Where is the PDF of the original source report? Not the summary.

Eric

September 17, 2009 04:06 PM

What Stephen doesn't mention here is how important these statistics become in the 'age of cloud computing'.

Combine with the cost of redeveloping webapps to close the problems and then factor in scalability. I did post some thoughts a while ago that address this: http://tinyurl.com/mv3y3v

These are big issues for the industry here.

Russell

September 21, 2009 09:12 PM

A noble effort, possibly very good data, but a very disappointing report.

My critique: "Making Sense of the SANS Top Cyber Security Risks Report"

http://newschoolsecurity.com/2009/09/making-sense-of-the-sans-top-cyber-security-risks-report/

Let’s learn from this and do better.

-- Russell Thomas

Post a comment

 

About

BusinessWeek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, Douglas MacMillan, and Spencer Ante dig behind the headlines to analyze what’s really happening throughout the world of technology. One of the first mainstream media tech blogs, Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

Categories

 

BW Mall - Sponsored Links

Buy a link now!