Organizations are finding it difficult to prioritize defense strategies
against cyberattacks because most of them do not have an Internet-wide
view of the attacks, according to a report from SANS Institute, the
security training organization.
As a result, two security risks--Web applications and
phishing--carry the greatest potential for damage, even though users
instead tend to concentrate on less-critical risks.
The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.
It identifies two main defense priorities for enterprise users. The
first is targeted e-mail attacks, or spear phishing, that exploit
client-side vulnerabilities in programs such as Adobe Systems' PDF
Reader and Flash, Apple's QuickTime, and Microsoft's Office. These
applications are described as the "primary initial infection vector
used to compromise computers that have Internet access" and are the
result of attackers taking advantage of "programming errors that are
not being picked up by common vulnerability scanners."
The second priority is vulnerable sites. More than 60 percent
of attacks are against Web applications and "convert trusted Web sites
into malicious Web sites serving content that contains client-side
exploits" by exploiting the most common vulnerabilities such as SQL
injection and cross-site scripting flaws, in both open-source and
custom-built applications. Such vulnerabilities make up more than 80
percent of attack opportunities.
A further finding is that applications are now more vulnerable
and see more exploitation attacks than operating systems. There were no
new major operating system worms seen in the wild during the reporting
Additionally, the report found there has been a "significant
increase" over the past three years in the number of people discovering
zero-day vulnerabilities: flaws that become known to attackers before
they are discovered by security researchers, opening the chance of an
attack against which no preparation has been made.
"This report is different from anything we have done before," a
SANS spokesman said, "because it reflects massive amounts of data on
the actual attacks (millions of them) and on the speed with which the
underlying vulnerabilities are being patched (actual data from
thousands of companies)."
The report sources includes attack data from 6,000
organizations, compiled by security hardware vendor TippingPoint,
vulnerability data from 9 million computers compiled by security
software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.