IT departments are fighting the security battles of five or
10 years ago, unaware that their IT systems are dangerously exposed
to computer hackers.
That was the message from a study published this week by the US
security education and research body the Sans Institute and
security suppliers Tippingpoint and Qualys.
The study is the first to analyse systemically how
cybercriminals are breaking into corporate IT systems. It draws on
attack patterns recorded by intrusion detection systems in 6,000
organisations and software vulnerabilities detected in a further
9,000 firms.
Its findings will lead to a widespread reassessment of how
companies spend their IT security budget, says Allen Paller,
director of research at the Sans Institute.
Fundamental error
The study shows that chief security officers are spending most
of their budgets ensuring that the operating systems of their PCs
and servers are patched. But many hackers are directing their
attacks against vulnerabilities in web applications and common
desktop software, bypassing the operating system entirely.
Vulnerabilities in commonly used desktop software programs,
including Adobe PDF, QuickTime, Adobe Flash and Microsoft Office,
and in web applications accounted for 60% of hacking attacks
recorded over the past five months.
"IT departments are still celebrating their success at patching
operating systems. They think they are doing great, but they are
using the wrong metrics," says Rob Lee, faculty leader in forensics
at the Sans Institute.
The greatest risk to corporate IT systems, comes form hackers
exploiting vulnerabilities in popular websites to plant and spread
malicious code on a huge scale.
Employees feel safe visiting trusted sites from their work
places, but they are easily fooled into opening documents, music
and video files that contain malicious code.
Once downloaded, the code exploits vulnerabilities in unpatched
applications on their desktops, allowing hackers to plant backdoors
that can provide them access to corporate networks.
Spear phishing
Hackers are using another technique known as spear phishing -
targeted e-mails containing malware - to exploit the same
application vulnerabilities.
Over the past year, the Sans team has responded to 40 major
security incidents in businesses and government departments.
Two-thirds have been spear phishing attacks.
"We have recently seen financial attackers using spear phishing
campaigns against chief financial officers to get them to click on
a link. They install a key logger. Once an individual logs into the
bank account, the hackers get in and start moving funds," says
Lee.
| SQL injection attacks |
|---|
| SQL injection is the most common technique used by hackers to
compromise web applications. The technique can be blocked by
careful coding, but the Sans Institute warns that some programmers
are creating applications that use SQL injection, leaving their
networks open to attack from hackers.
"People writing these applications do not realise that they have
put SQL injection in code as a feature. We find a lot of these
applications in company networks. Things that people have put
together quickly," says Rohit Dhamankar director of security
research at Tippingpoint. |
There are some straightforward measures that business can take
to protect themselves, says the Sans Institute.
Small businesses can deploy a separate hardened PC for staff to
use for financial transactions online. And for all companies,
deploying a web application firewall will help to protect web
applications from malicious attacks.
"For the client side, get code patched and get it patched more
quickly. The idea that you can patch operating systems in a week is
great news. But that is focusing on the attacks of a couple of
years ago," says Ed Skoudis, security consultant at the Internet
Storm Centre, which monitors hacking activity.
The other point, he says, is that companies should redouble
their efforts to make sure users do not log into their machines
with administrator privileges. "That way, if there is some sort of
exploit, and the bad guys get a toe hold, it is only with limited
privileges," he says.