Nearly 33% of websites are infected with
downloadablemalware, after infection rates almost
doubled in the past year, according to research from the Sans
Institute.
Users' confidence in online security is waning, leading small
and medium sized companies to lose business, it said.
The security training organisation last week published its
annual list of the top 20 cyber security threats.
Gerhard Eschelbeck, chief technology officer at Webroot, one of
the firms that contributed to the study, said, "Since January 2007,
Webroot has seen a 183% increase in websites that harbour spyware.
Infection rates for spyware and
Trojans that steal keystrokes are currently at 31% and growing
rapidly.
"In a survey of small and medium enterprises we conducted in
September, 77% said their success depends on the internet, and
47.2% reported lost sales due to spyware."
Rohit Dhamankar, senior manager of security research at security
specialist TippingPoint, said 50% of the total vulnerabilities
reported in 2007 were in web applications.
"But it is only the tip of the iceberg," he said. "This data
excludes vulnerabilities in custom-developed web applications.
Compromised websites provide avenues for massive client-side
compromises via web browsers, office documents and media player
exploits."
The number of vulnerabilities in Microsoft Office products
nearly trebled in 2007, said Amol Sawarte, manager of security firm
Qualys's Vulnerability Laboratory. This was due primarily to new
Excel vulnerabilities that can be exploited by getting users to
open Excel files sent via e-mail and instant messenger.
Sans Institute research director Alan Paller said web
application insecurity was particularly troublesome because so many
developers write insecure code. "Most of their web applications
provide access to back-end databases that hold sensitive
information," he said.
"Until colleges that teach programmers, and companies that
employ programmers, ensure that developers learn secure coding, and
until those employers ensure that they work in a secure development
lifecycle, we will continue to see major vulnerabilities."
Paller said new attacks use social engineering to expose
internal company networks to exploitation. These attacks are much
harder to defend against, he said. "They take a commitment to
continuous monitoring and uncompromising adherence to policy with
real penalties."
Technical defences have improved, but hackers are using
automated attack programs to constantly scan the web for vulnerable
systems.
"So many automated programs are searching for victims that Sans'
Internet Storm Center (an early warning system for the internet)
reports that computers can expect to survive only five minutes
before being attacked, and will withstand the attacks only if they
are configured securely before being connected to the internet," he
said.