Influential survey says security 'set back by 6 years'

Updated Tuesday, Nov. 22, to include comments made during a press conference at 11 a.m. ET.

Attackers don't go after operating systems like they used to. They've found bigger fish to fry in flawed applications like the average AV, database, IM or media player program. They're also paying more attention to flaws in the routers and switches that keep the Internet afloat and are successfully stealing data from government networks.

That's the consensus among security experts who contributed to the SANS Institute's Top 20 vulnerability list for 2005. The Bethesda, Md.-based organization released the list Tuesday morning, and its research director said the findings show a major backslide in efforts to achieve ironclad information security.

"The bottom line is that security has been set back nearly six years in the past 18 months," SANS Institute Research Director Allan Paller said in an e-mail exchange. "Six years ago attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching. Here we go again."

During a press conference Tuesday morning, Paller added, "These applications, other than AV, don't have automated patching. We're back to the stone age. Getting patches and figuring out how to install them -- those days are back in spades." @15873

In recent years, the institute said a majority of attacks targeted operating systems like UNIX and Windows and Internet services like Web servers and mail systems. But this year a new wave of attacks were against vulnerable application programs. "The most noticeable set of applications targeted by attackers are the backup and recovery tools as well as antivirus and other security tools that most organizations think are keeping them safe from attacks and from loss of data," the institute said.

Rohit Dhamankar, lead security architect for the TippingPoint division of Marlborough, Mass.-based 3Com, noted in a statement, "We are seeing a trend to exploit not only Windows, but other vendor programs installed on large numbers of systems. These include backup software, antivirus software, database software and even media players. Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network."

During the Tuesday morning press conference, Dhamankar said the threats that worry him the most are those targeting the Web browsers and media players -- including Microsoft Media Player and Macromedia Flash.

Application-based attacks are happening with dizzying speed, Jerry Dixon, director of the The United States Computer Emergency Readiness Team (US-CERT), added in the same statement. "The US-CERT received reports of important system compromises using vulnerabilities in backup products within a few days of the public disclosure of vulnerabilities in those products," he said.

SANS said another worrying trend this year has been the fresh attention given to critical security holes in network devices like the routers and switches that keep traffic moving across the Internet. "Network devices often have on-board operating systems and can be programmed just like computers," the institute said. "Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks."

The attention given to networking flaws was perhaps best illustrated during the Black Hat Briefings in Las Vegas last July. There, researcher Michael Lynn, a former employee with Internet Security Systems, infuriated Cisco by demonstrating how to exploit a critical flaw in the networking giant's Internetwork Operating System (IOS) that could, if exploited to its potential by a malicious attacker, bring down the entire Internet.

When the digital underground launches targeted assaults, information in sensitive government systems are often the prize attackers have their eyes on, the institute said. As an example, the institute mentioned an advisory Britain's National Infrastructure Security Co-Ordination Centre issued June 16 describing "a series of targeted attacks against the UK central government and commercial organizations for the purpose of gathering and transmitting otherwise privileged information."

Networks maintained by the U.S. government and military have been the target of what security experts called "equally devastating" attacks. Specifically, the institute said attacks are being carried out against government and military-contractor sites "using vulnerabilities like those reported in SANS Top 20."

Indeed, the media was ablaze with reports this summer of an attack against government systems dubbed Titan Rain. In this attack, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn't taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together.

TippingPoint's Dhamankar, also a project manager for the SANS Top 20, said vulnerabilities on this year's list are defined by four criteria:

• (1) They affect a large number of users;
• (2) They have not been patched on a substantial number of systems;
• (3) They allow computers to be controlled by a remote, unauthorized user; and
• (4) Sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them.

Paller did note during the press conference that there's a silver lining to be had among the couds:

After deciding that it couldn't rely on flawed Microsoft software, the U.S. Air Force "decided to put $5 million on the table and asked Microsoft to make a safer version of Windows," he said. "Microsoft said yes, and now the Air Force is using a special version. We think this action is... what will one day turn the tide -- the government leading by example and putting out money. This someday will allow people to have access to safer software."

This article originally appeared on SearchSecurity.com.