Nearly one-third of websites were infected with
downloadable malware as infection rates almost doubled in the past
year, according to theSans
Institute.
User confidence in online security is waning as a result and
small and medium sized companies are losing business.
The US-based security training organisation today published its
annual list of the
Top 20 cybersecurity threats that companies and users face.
Gerhard Eschelbeck, chief technology officer of
Webroot, said, "Since January
2007, Webroot has seen a 183% increase in websites that harbour
spyware. Infection rates for spyware and Trojans that steal
keystrokes are currently at 31% and growing rapidly.
"Based on a survey of small and medium enterprise we conducted
in September 2007, 77% said their success depends on the internet,
and 47.2% reported lost sales due to spyware."
Rohit Dhamankar, senior manager of security research for
TippingPoint, said half
the total vulnerabilities reported in 2007 are in web applications.
"But it is only the tip of the iceberg," he said. "These data
exclude vulnerabilities in custom-developed web applications.
Compromised websites provide avenues for massive client-side
compromises via web browser, office documents and media player
exploits."
The number of vulnerabilities in Microsoft Office products
nearly trebled in 2007, said Amol Sawarte, manager of
Qualys's Vulnerability Laboratory.
This was primarily because of new Excel vulnerabilities that can be
exploited by getting unsuspecting users to open Excel files sent
via e-mail and Instant Message.
Sans research director Alan Paller said web application
insecurity was particularly troublesome because so many developers
write insecure code. "Most of their web applications provide access
to back-end databases that hold sensitive information," he
said.
"Until colleges that teach programmers, and companies that
employ programmers ensure that developers learn secure coding, and
until those employers ensure that they work in an effective secure
development life cycle, we will continue to see major
vulnerabilities in nearly half of all web applications."
Paller said new attacks use social engineering to expose
internal company networks to exploitation. These attacks are much
harder to defend against, he said. "They take a commitment to
continuous monitoring and uncompromising adherence to policy with
real penalties. Only the largest banks and most sensitive military
organisations have, so far, been willing to implement such
practices."
Paller said technical defences had improved, but automated
attack programs were constantly scanning the web for vulnerable
systems. "So many automated programs are searching for victims that
Sans' Internet Storm Center (an early warning system for the
internet) reports that computers can expect to survive only five
minutes before being attacked and will withstand the attacks only
if they are configured securely before being connected to the
internet," he said.
Qualys offers a free
service that tests computers for the elements on the Top 20
amenable to such testing. This year, Applicure Technologies, a web
application firewall firm, is offering a
free monitoring
tool that assesses how many web attacks are hitting IIS and
Apache servers.
Best practices for reducing risks
1. Configure systems, from the first day, with the most secure
configuration that your business requirements will allow, and use
automation to keep users from installing and uninstalling
software.
2. Use automation to ensure systems maintain their secure
configuration, remain fully patched with the latest version of the
software, including keeping anti-virus software up to date.
3. Use proxies on your border network, configuring all client
services (HTTP, HTTPS, FTP, DNS, etc) so that they have to pass
through the proxies to get to the internet.
4. Protect sensitive data through encryption, data
classification mapped against access control, and through automated
data leakage protection.
5. Use automated inoculation for awareness and penalise those
who do not follow acceptable use policy.
6. Perform proper DMZ segmentation with firewalls.
7. Remove the security flaws in web applications by testing
programmers' security knowledge and testing the software for
flaws.