This year’s SANS Top 20 illuminates two new attack targets that criminals have chosen to exploit, and the older targets where attackers have significantly raised the stakes. Old vulnerabilities are still targeted by automated attack programs constantly scanning the Web for vulnerable systems. However, facing real improvements in system and network security, cyber criminals and cyber spies have shifted their focus to two new prime targets that allow them to evade firewalls, antivirus, and even intrusion prevention tools: users who are easily misled and custom-built applications. This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software.
Web application insecurity is particularly troublesome. Many developers write and deploy Web applications without demonstrating that they can write secure applications; meanwhile, the Web applications provide access to back-end databases that hold sensitive information. Says Paller, “Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective, secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications.”
Rohit Dhamankar, senior manager of security research for TippingPoint and 2007 Top 20 project manager, states
Although half the total vulnerabilities reported in 2007 are in Web applications, it’s only the tip-of-the-iceberg. These data exclude vulnerabilities in custom developed Web applications. Compromised Web sites provide avenues for massive client-side compromises via Web browser, office documents, and media player exploits. This vicious circle of compromise is proving to be harder to break each day.
Data that describes the size of this problem comes from Qualys, the firm that scans for vulnerabilities on millions of systems around the world. Data shows a jump in the vulnerabilities in Microsoft Office products of nearly 300% from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by getting unsuspecting users to open Excel files sent via e-mail and instant message.
Meanwhile, Gerhard Eschelbeck, chief technology officer of Webroot, the largest spyware detection and monitoring firm, reports that since January 2007, Webroot has seen a 183 percent increase in Web sites harboring spyware. Also, infection rates for Spyware and Trojans that steal keystrokes are currently at 31 percent and rapidly growing; and, based on a small and medium size enterprise survey they conducted in September, 2007, seventy-seven percent said their success depends on the Internet, and 47.2 percent reported lost sales due to spyware.