According to a new report, published today by SANS, the overwhelming majority of all cyber-security risks can be laid at the door of just two areas: unpatched client-side software and vulnerable Internet facing web sites.
The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James King of TippingPoint with assistance from Wolfgang Kandek of Qualys, Johannes Ullrich of the Internet Storm Center, and Ed Skoudis and Rob Lee of the SANS Institute faculty. But, to be fair, I'm not sure that attack data from systems protecting 6000 organisations and vulnerability data from 9,000,000 systems was really needed to arrive at its conclusion.
You only need to keep an eye on the news to realise that unpatched software is being targeted by the spear phishers and bad guys, with client-side vulnerabilities in the likes of Adobe software hitting the headlines this year and last.
The SANS 'Top Cyber Security Risks' report says that it represents "the primary initial infection vector used to compromise computers that have Internet access." What is interesting is the report finding that, on average, major organisations will take at least twice as long to patch these client-side software vulnerabilities as they do to patch operating system vulnerabilities. As SANS puts it "the highest priority risk is getting less attention than the lower priority risk."
And talking of priority risks, the number two according to the report would be vulnerable web sites. SANS says that attacks against web applications constitute "more than 60% of the total attack attempts observed on the Internet." No real shocker there either then, especially coming hot on the heels of another report which suggests that some 90% of all web applications have at least one medium risk vulnerability present and 27% have at least one high risk. The SANS numbers pretty much match up with other reports, suggesting that SQL injection and Cross-Site Scripting in web applications account for around 80% of the vulnerabilities reported. Again, almost incredulously, web site owners are simply failing to effectively scan for the most common of flaws and leaving their sites and applications open to abuse.
On the good news front, OS worms are down with only Conficker making any real impact between March and August this year. That impact looks like continuing though, with emerging news that Conficker is back with a scareware twist in the tail. On the not so good news front, zero-day vulnerabilities have continued to rise significantly over the last three years with some remaining unpatched for as long as 2 years.