The line of network defense shifts again

 

Connecting state and local government leaders

Just when administrators are getting faster at patching IT vulnerabilities, new trends in Internet attacks show that speed is not enough to protect networks.

Just when administrators are getting faster at patching IT vulnerabilities, new trends in Internet attacks show that speed is not enough to protect networks.The most recent edition of the Top 20 Vulnerabilities released by the SANS Institute of Bethesda, Md., the US-CERT and Britain's National Infrastructure Security Coordination Center shows that applications, rather than servers, increasingly are the targets of attackers.'There has been a 90-degree turn in the way attackers come at you,' said Alan Paller, SANS' director of research. Most applications don't offer automatic patching programs, so 'we're back to the Stone Age,' in which administrators must seek out and patch vulnerabilities by hand.'A lot of the low-hanging fruit on servers has been taken care of,' said Gerhard Eschelbeck, chief technology officer of Qualys Inc. of Redwood City, Calif. IT administrators now will have to shift their attention to patching application backup tools, antivirus software, browsers and media players.Three years ago, Eschelbeck came up with the concept of a vulnerability half-life'the period of time it takes to patch half of the instances of a vulnerability. A study of 32 million network scans over the last year showed the half-life of vulnerabilities on external systems shrank from 21 days to 19 days in 2005. The half-life on internal systems dropped from 62 days to 48 days.But the study also showed that 85 percent of damage from automated attacks still occurs within the first half-life of a vulnerability.For software programs whose vendors have regularly scheduled the announcement of vulnerabilities and the release of patches, the patching process improved by 18 percent.'A coordinated, predefined schedule improves patching behavior,' Eschelbeck said.But few of the vendors of applications that now account for as many as 60 percent of new vulnerabilities have regular patch release programs.The increasing speed at which exploits appear and the shifting nature of their targets make it almost impossible to keep up with the patching cycle.'I don't think it's about how fast you patch anymore, but where you patch,' said Mike Murray, director of vulnerability and exposure research for nCircle Network Security Inc. of San Francisco.Murray advocates focusing not just on patching mission-critical systems, but on the network paths that offer the greatest exposure to these machines.'You have no hope of patching all of them,' he said. 'You need to understand what your network looks like and the paths the exploits can take.'For years, software from Microsoft Corp. has offered the best fishing for researchers looking for vulnerabilities and hackers waiting to exploit them.The Microsoft waters are certainly not fished out, but 'researchers are having more trouble finding the vulnerabilities in Microsoft, so they're branching out,' Murray said.This means more new vulnerabilities are showing up on client applications. Applications often do not get as high a priority for patching as servers and network devices.'The perceived risk is typically lower for client-side than for server-side' vulnerabilities, Eschelbeck said. The patching process is further slowed because of the sheer number of devices that have to be addressed to patch applications.The speed with which vulnerabilities can be safely patched could be reaching a plateau.When Eschelbeck first calculated vulnerability half-lives in 2003, it was 30 days for an outward-facing device. This dropped to 21 days in 2004, and Eschelbeck last year challenged administrators to bring that figure down to 10 or 15 days.It dropped only to 19 days this year. He called for shrinking the half-life for internal devices from 62 to 40 days, but it dropped to only 48 days.'I knew that 40 days was an ambitious goal,' he said. 'But the improvement we have made is encouraging.'In addition to shifting their targets, attackers are continuing their trend away from high-profile, high-speed attacks in favor of more subtle, targeted attacks. NISCC director Roger Cumming blamed this on what he called a public marketplace for malicious code.'Individuals are writing exploits largely for profit,' rather than for bragging rights, he said. 'The criminal elements are fueling the creating of this market.'All of this means that administrators must work smarter, not just faster. Systems that cannot be safely patched before an exploit is released require layers of defense to protect them until patching is feasible.Murray calls for a proactive mindset to address problems before they crop up.'With every decision you make, ask yourself, How can this create risk for me and how can I mitigate that risk?' he said.Ultimately, more secure, higher-quality software will be the answer to network security threats. A move toward this already has begun.'There is no question that they are doing a better job' of developing software, Murray said. 'It went from a seller's market to a buyer's market,' and customers began demanding better security.Paller cited several federal contracts in which agencies have paid a premium for secure software configurations that would not be undone by later patches. He said the federal government's $68 billion annual IT budget could go a long way toward making security the default setting in commercial software.

Applications dominate new top 20 vulnerabilities list

The most critical IT security vulnerabilities

For Windows systems

' Windows Services

' Internet Explorer

' Windows Libraries

' Microsoft Office and Outlook Express

' File sharing applications

' Windows configuration weaknesses

For cross-platform applications

' Backup software

' Antivirus software

' PHP-based applications

' Database software

' DNS software

' Media players

' Instant-messaging applications

' Web browsers

' Other cross-platform applications

For Unix systems

' Unix configuration weaknesses
' Mac OS X

For networking products

' Cisco IOS-based products

' Cisco non-IOS products

' Cisco devices configuration weaknesses

Criteria for vulnerabilities included in the Top 20 list

' They affect a large number of users.

' They remain unpatched on a substantial number of systems.

' They allow computers to be controlled by unauthorized users.

' Exploits are available.

See www.sans.org/top20 for details.

'There has been a 90-degree turn in the way attackers come at you. ... We're back to the Stone Age' in patching vulnerabilities.

'SANS' Alan Paller

Henrik G. de Gyor

Attackers move their targets from servers to applications




















































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.