Tuesday, September 15, 2009

SANS Releases Top Cyber Security Risks

SANS has released their annual overview of top cyber security risks, and there are few surprises to be had by those who follow the topic on a regular basis.

Two significant areas of opportunity are called out - client-side applications (think Adobe, QuickTime, Flash, etc.), and Internet-facing web sites. Both suffer from the same root problem - poor coding practices and beleaguered IT admins who struggle to keep up on the continuous vulnerability patching treadmill.

SANS opines that there are less OS-targeted exploits floating around, which probably has more to do with the low-hanging fruit of client apps than it does any significant hardening of operating systems. Vista was marginally better than its predecessors, but since Vista never really took off in the enterprise, there's still a lot of XP deployed in the corporate world, and after a half-decade of vulnerabilities and flaws, XP has been patched so often that it looks like a pair of my Sears Toughskin jeans from 1973. And yet, each month, Microsoft releases a couple of new advisories with fixes that include XP as an impacted OS.

Attackers have decided that it's much easier to crawl in through an open window caused by a faulty, unpatched application than it is to brute force their way in through the front door of the OS. Once inside, the bad guys are still able to compromise a system, harvest credentials, steal personal information, and otherwise take full control of the machine without needing to assault the OS directly.

People are very trusting of video and Flash content, PDF files, Word docs, and other files associated with some of the weaker, flawed apps, and they will click on these file types all day long if they show up in email, instant messenger, or on a compromised web site. In many cases, the content will autorun, because users have allowed their systems configurations to be set for convenience, not security.

Web apps continue to be plundered via a combination of SQL injection and cross-site scripting attacks typically associated with poor coding practices and insufficient vulnerability assessment and remediation processes. Combined with happy-go-lucky users who will click on any url that comes within their reach, you have a perfect storm of ignorance and negligence that results in malware propagation and infected systems.

What's the answer? Aside from unplugging from the Internet and leading a Puritanic technology existence, the solution is better application development practices, enhanced and timely vulnerability assessment and remediation processes, and using system lockdowns and controls to protect users from themselves.

Not using Microsoft products can also be helpful, but that's my bias - even though my background is an a Microsoft engineer and certified trainer. Redmond is undoubtedly relieved that Apple, Adobe, and others are finally in the crosshairs as often as Microsoft has been. Misery loves company.

1 comment:

  1. A noble effort, possibly very good data, but a very disappointing report.

    My critique: Making Sense of the SANS Top Cyber Security Risks Report

    http://newschoolsecurity.com/2009/09/making-sense-of-the-sans-top-cyber-security-risks-report/

    Let’s learn from this and do better.

    -- Russell Thomas

    ReplyDelete

Please tell me what you think.