Businesses must rethink security spending to keep hackers out

Businesses are prioritising unimportant security fixes while leaving their IT systems open to sophisticated hacking attacks, a major study released today reveals.

Businesses are prioritising unimportant security fixes while leaving their IT systems open to sophisticated hacking attacks, a major study released today reveals.

Analysis by US education and research body the Sans Institute and leading security firms shows that enterprises are concentrating their resources on patching their operating systems.

But cyber-criminals are sidestepping the security measures by using vulnerabilities in common applications such as Microsoft Office and Adobe PDF reader to hack into company networks.

The study's findings will lead to a widespread reassessment of how companies spend their IT security budget, said Allen Paller, director of research at the Sans Institute.

"Enterprises are prioritising what is unimportant and delaying fixing the main attack targets. I think the report will shift a lot of money around in organisations because the findings are very hard to ignore. Given the strength of the data, not acting would be obvious negligence," he said.

The study is based on an analysis of attacks recorded by intrusion prevention technology at 6,000 companies and security vulnerabilities found in 9,000 organisations by security suppliers Tippingpoint and Qualys. It reveals that hackers have shifted to spear-phishing attacks - malicious e-mails which exploit vulnerabilities in commonly used client programs - as the primary form of attack against corporate systems.

Open to attack

Despite this, organisations are taking at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities, giving the highest priority risk less attention than the lowest priority risk.

The study also warns that organisations are failing to adequately secure their public-facing websites, which it claims is the second most significant source of attack with more than 60% of internet attacks being directed against web applications.

Hackers are infecting popular websites with links to documents that contain malicious embedded code, and are increasingly targeting thousands of specialised websites with smaller audiences.

By identifying and exploiting vulnerabilities in the content management systems used by these sites, attackers can infect thousands of sites in a matter of hours. Hackers are using vulnerabilities such as SQL injection and Cross-Site Scripting to covert trusted websites into malicious websites that spread code to visitors.

The study shows there has been a significant increase in the number of people discovering zero-day vulnerabilities, which have no fixes available at the time of discovery, over the past three years. Some vulnerabilities have remained unpatched for two years.

But there is a shortage of skilled researchers working in government and software suppliers, placing IT users at a disadvantage over the hackers.

Key findings 
  • The vast bulk of the nation-state attacks against military, defence industrial base and key commercial organisations throughout the developed world are being executed using highly targeted spear-phishing attacks.
  • The vast bulk of new zombies (networks of infected computers) are created when unsuspecting users visit trusted websites that are also infected.
  • Both the spear-phishing and web attacks take advantage of client-side vulnerabilities that are being given insufficient attention by cyber defenders.
  • The web attacks take advantage of web programming errors that are not being picked up by common vulnerability scanners.


Read more on IT risk management