One third of websites infected with malware, says Sans Institute

Nearly one-third of websites were infected with downloadable malware as infection rates almost doubled in the past year, according to the Sans Institute.

Nearly one-third of websites were infected with downloadable malware as infection rates almost doubled in the past year, according to the Sans Institute.

User confidence in online security is waning as a result and small and medium sized companies are losing business.

The US-based security training organisation today published its annual list of the Top 20 cybersecurity threats that companies and users face.

Gerhard Eschelbeck, chief technology officer of Webroot, said, "Since January 2007, Webroot has seen a 183% increase in websites that harbour spyware. Infection rates for spyware and Trojans that steal keystrokes are currently at 31% and growing rapidly.

"Based on a survey of small and medium enterprise we conducted in September 2007, 77% said their success depends on the internet, and 47.2% reported lost sales due to spyware."

Rohit Dhamankar, senior manager of security research for TippingPoint, said half the total vulnerabilities reported in 2007 are in web applications. "But it is only the tip of the iceberg," he said. "These data exclude vulnerabilities in custom-developed web applications. Compromised websites provide avenues for massive client-side compromises via web browser, office documents and media player exploits."

The number of vulnerabilities in Microsoft Office products nearly trebled in 2007, said Amol Sawarte, manager of Qualys's Vulnerability Laboratory. This was primarily because of new Excel vulnerabilities that can be exploited by getting unsuspecting users to open Excel files sent via e-mail and Instant Message.

Sans research director Alan Paller said web application insecurity was particularly troublesome because so many developers write insecure code. "Most of their web applications provide access to back-end databases that hold sensitive information," he said.

"Until colleges that teach programmers, and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications."

Paller said new attacks use social engineering to expose internal company networks to exploitation. These attacks are much harder to defend against, he said. "They take a commitment to continuous monitoring and uncompromising adherence to policy with real penalties. Only the largest banks and most sensitive military organisations have, so far, been willing to implement such practices."

Paller said technical defences had improved, but automated attack programs were constantly scanning the web for vulnerable systems. "So many automated programs are searching for victims that Sans' Internet Storm Center (an early warning system for the internet) reports that computers can expect to survive only five minutes before being attacked and will withstand the attacks only if they are configured securely before being connected to the internet," he said.

Qualys offers a free service that tests computers for the elements on the Top 20 amenable to such testing. This year, Applicure Technologies, a web application firewall firm, is offering a free monitoring tool that assesses how many web attacks are hitting IIS and Apache servers.

Best practices for reducing risks

1. Configure systems, from the first day, with the most secure configuration that your business requirements will allow, and use automation to keep users from installing and uninstalling software.

2. Use automation to ensure systems maintain their secure configuration, remain fully patched with the latest version of the software, including keeping anti-virus software up to date.

3. Use proxies on your border network, configuring all client services (HTTP, HTTPS, FTP, DNS, etc) so that they have to pass through the proxies to get to the internet.

4. Protect sensitive data through encryption, data classification mapped against access control, and through automated data leakage protection.

5. Use automated inoculation for awareness and penalise those who do not follow acceptable use policy.

6. Perform proper DMZ segmentation with firewalls.

7. Remove the security flaws in web applications by testing programmers' security knowledge and testing the software for flaws.

Read more on IT risk management