Last week the SANS Institute published a report of The Top Cyber Security Risks. The report highlights two top priorities. There first priority is for users to apply patches on a timely basis:
"Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites.(See Priority Two below for how they compromise the web sites). Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software. The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation."
The second priority is vulnerable Internet-facing web sites:
"Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience."
These two vulnerability points seem obvious to me and it is no surprise that the report lists them as the top priorities for cyber security.
Given the opening statement above that "...targeted email ... is the primary initial infection source...", it is odd to me that the report completely overlooks the need for strong Internet-based security and authentication, beginning with DNSSEC. After all, such email attacks would not be feasible if email was authenticated. It is a no-brainer and would save the additional cost and brain damage of trying to manage the thousands of new attack variants appearing each day.
Further, DNSSEC would authenticate web sites and one would hope that such sites would be more diligent about site maintenance to ensure they were free of malware. DNSSEC itself imposes a maintenance discipline on web site administration due to the need to roll over signing keys.
In any case the report is interesting reading and a little scary when one considers the volume and sophistication of the attacks.
Comments