Tuesday, September 22, 2009
Cybersecurity - or lack thereof - alarms experts
The study confirmed what the cybersecurity community has warned about for some time: The fastest-growing area of potential exploitation lies within client-side Web applications - that is to say, malicious software that piggybacks on files (such as Microsoft Office documents, Adobe PDFs, Flash animations or QuickTime videos) and corrupts computer systems when a victim downloads them.
The researchers concluded that criminals are primarily using "spear-phishing schemes" (in which they profile specific victims and often design socially engineered e-mails to trick them into downloading a corrupted file) or turning trusted but insecure Web sites into vehicles for malicious content.
The study found that organizations are patching client-side vulnerabilities three to five times slower than operating-system vulnerabilities, said Alan Paller, research director at SANS Institute, a security research and education organization that collaborated on the report with others. What's more, security scans often fail to check for these weaknesses.
"For the first time, we know where the bad guys are attacking and, oh darn, those are not the areas we're protecting," Paller said.
Paller said this discrepancy might be the result of companies not reporting breaches for fear of losing customers' confidence or, in the case of government entities, for national security reasons.
The researchers say that some recent security breaches were the result of the criminal strategies they detailed in the report.
Scammers, for instance, tricked the New York Times last weekend into posting an ad for a fake antivirus program on its Web site. In April, computer spies stole several terabytes of data related to an expensive Department of Defense fighter jet project.
The researchers hope more attention and resources will be allocated to address these vulnerabilities.
"If security guys are not fixing this, it's time to get new security guys," Paller said.
For this study, network security provider firm TippingPoint, vulnerability tester Qualys, members of the SANS Institute and other researchers analyzed data from thousands of computers from March through August this year.
During that period, they compared the most common attacks at military organizations, government entities, manufacturers, hospitals, colleges and financial institutions with the most common patched and unpatched vulnerabilities.