This is the key takeaway - and to some extent the surprise - of the new Top Cybersecurity Risks report released on Sept. 15 by TippingPoint, Qualys, the Internet Storm Center and SANS Institute.
In an exclusive interview about the report, Alan Paller, Director of Research at SANS, discusses:
Paller founded SANS in 1989 to provide graduate-level education to cybersecurity professionals. In the intervening years, more than 80,000 people have learned their technical security skills - from forensics to penetration testing to intrusion detection, in SANS courses.
Today he focuses on identifying the tipping points that can turn the tide against the growing wave of cyber crime and cyber espionage. He has testified several times before the US House and Senate, and the President named him to the National Infrastructure Assurance Council. His degrees are from Cornell and MIT.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about the top cyber risks, and we are talking with Alan Paller, Director of Research with the SANS Institute. Alan, thanks so much for joining me.
ALAN PALLER: Happy to be here.
FIELD: Given today's report, what is the key message to organizations about the top cyber risks?
PALLER: The key message is that the attackers have concentrated their weapons and their activities on a couple of vulnerability sets that the user organizations are not fixing, meaning the users are focusing their attention in a different direction, the attackers have found that and they are exploiting it at enormous rates and having unreasonable success because the user organizations haven't fixed these problems.
FIELD: So, Alan, in evaluating this research, which I know you have done, what are the major takeaways for SANS?
PALLER: Well, the major takeaways for everybody are that there are vulnerabilities in the applications we use just as there are vulnerabilities in the operating systems we use. But the vulnerabilities in the applications are not getting patched quickly, and the bad guys have figured that out. So they do attacks that don't attack the operating systems, like Windows and Unix, and instead they attack Microsoft Office and Adobe products and QuickTime and the kinds of applications we have on our computers, and they are having enormous success.
And the second takeaway that is that a lot of organizations have their websites scanned for vulnerabilities, but they are not scanning them for the vulnerabilities that the attackers are exploiting. They are exploiting vulnerabilities in the programs, again, the applications, the programs on the websites rather than the websites themselves. So they are using what are called SQL injection and cross site scripting attacks, which work because the owner of the websites think when they run a scan of their website that they are actually fixing all of the key vulnerabilities, or finding all of the key vulnerabilities, and they are not.
FIELD: So the reality is the fraudsters have found literally where we live, and they are exploiting it?
PALLER: Exactly. And for some reason, even though the news has really done a pretty good job of talking about these risks -- these aren't new ideas -- they haven't ever had any data that proved that these risks are actually greater than the old risks. And what this report does, for the very first time, is it brings together actual vulnerability data, meaning measures, from 9,000 organizations, of which they are patching and what they are not patching, and data from 6,000 organizations of what the attacks are against them. When you combine those you say, "Oh, shoot."
FIELD: So, Alan, based on what you have learned from this report, what trends will you be tracking at SANS Institute in the coming months?
PALLER: We will be watching more of the patching rates to see how quickly this stuff gets fixed. And then over the next year we hope we will actually see a decline in the number of attacks because they are no longer so fruitful, but we don't expect to see any decline; we actually expect to watch significant increases in these attacks because as long as people are not patching them what is the point in going after hard to break into things. FIELD: It makes so much sense, too, because these are all applications that people are comfortable with.
PALLER: And they actually think--actually the big surprise for me was one that might also surprise other people who are sort of users outside of the corporate mainstream. We are a small company of a couple hundred people actually, and so we don't have a big corporate group that automatically patches all our things so we patch our own things.
So we noticed the Microsoft patches not only the operating system, but it also patches Excel and Word, and so we just assumed that was the way it is. But it turns out, large organizations turned off automatic patching. They say "well, we want to take care of this ourselves, and we don't Microsoft making our users systems break." And that is a great idea, except they took care of the operating system side of it, but they forgot to take care of the application side of it. So it is actually companies thinking that they are smarter than the vendors causing themselves these problems.
FIELD: So we are reaching a number of financial institutions and government organizations today, and I have got to think that this is a wake-up call for a lot of them. So I have got to ask on their behalf, in the wake of this report, what are the actions that organizations really have to now take?
PALLER: You have to find a way to automate the patching of the applications, and not just Microsoft applications. So all of the third party applications -- not to be an advertiser for anybody, but a company called Secunia actually does a pretty good job of looking for all of those applications on personal computers and so do places like Qualys and others.
But, you can't allow the application vulnerabilities to last the way they are lasting. On average, the average operating system gets 80 percent of its patches installed within a few weeks. In the average applications, they aren't patched; only about 20 percent of them are patched within six or eight weeks. So you have to change the rules on what gets patched so that applications get patched at least as well as operating systems.
And the other one is actually bigger in terms of liability and embarrassment, is that you have to change the way you build websites. You have to change this because the websites are being built by people who don't know how to write secure code, and because they don't know how to write secure code, they are leaving their applications open, so that the actual site that the users come to and trust is infecting them. And if they keep doing this -- and thousands of thousands of trusted sites are infected. You might have noticed that there are not many new worms, and the report talks about this. There are not many new worms, and that is because they don't need worms anymore. They just take over websites that are trusted, and then all the visitors who come to those trusted websites get infected. It is a stealth attack and no one else knows about it.
So those are the two things, you fix your website now because when your customers find out you are the one who is infecting them, it will be a whole lot worse than losing their credit cards. And the second thing is that you patch your applications at least as quickly as you patch your operating systems.
FIELD: So. Alan, it strikes me I say this will be a wake-up call to organizations, but what sort of a reaction do you expect to see?
PALLER: I think people start with "oh, yeah, we knew that" and then they go "oh, shoot, we had no idea that the attackers were so concentrated on it" because that is what the attack data shows. Over 60 percent of the attacks against website are aimed at SQL injection and cross site scripting, and over 60 percent of all the attacks on Windows boxes are going after applications now. So what happens is they already knew about it but they didn't know how important it was so it is not a wake-up call in terms of just knowing about it, but it is a wake-up call in terms of prioritization of money.
FIELD: Very good. Alan, I appreciate your time and your insight today.
PALLER: You're welcome.
FIELD: We have been talking with Alan Paller of the SANS Institute. For Information Security Media Group, I'm Tom Field. Thank you very much.