The The SANS Institute for security training and research recently published a report based on analysis of data collected from 9 million computer systems over six months. The tag line at the top reads: "Two risks dwarf all others, but organizations fail to mitigate them.”
Perhaps it should read: "Surprising new data suggests that companies that don't patch their applications are being exploited! Film at 11.”
The raw data for this report was provided by intrusion prevention system (IPS) vendor TippingPoint Technologies Inc. and a few others. Nothing in it is earth-shattering news -- quite the opposite, in fact, as most of the information has been covered over the past year. However, if you can stomach the marketing speak (everyone credited in the report is trying sell you something, after all), there are some useful statistics and validations to be found within.
Not surprisingly, after analysis, the most prevalent attack trend observed was that applications are much more vulnerable than operating systems. That’s not really a surprise to readers of this site, and it stands to reason, as operating systems aren't generally exposed to the public Internet -- at least not on purpose! If the only thing exposed is the application, well then, that's what is going to be attacked and exploited when vulnerable.
But the trend also applies once behind the border with the Internet, which shouldn't really be much of a surprise either. The pain of several years of worms, although now just a faint memory to most system administrators and network managers, was instrumental in pressing the issue of operating system patching. Corporations and OS vendors alike – well, OK, Microsoft Corp. (Nasdaq: MSFT) -- were highly motivated to manage the issue, as it was getting expensive and no longer manageable with press releases alone.
Most companies and even individuals now patch their operating systems religiously, or at least let the OS do it by itself. If you don't, then you probably experienced Confickr -- responsible for 92 percent of OS exploits, according to the report -- with only yourself to blame.
Applications apparently aren't so simple. The report shows that applications like Office, Flash, and Java remain unpatched and vulnerable for much longer than Windows. This stands to reason, as enterprise application patching is often more difficult, due to limitations in patching tools.
There is also a need, or at least a perceived need, to maintain strict application version control across the enterprise. I say “perceived,” because most of the applications mentioned have excellent backward compatibility, so mismatched versions shouldn't be too much of a big deal, even to desktop support. If I had to choose, I'd rather have most of my user population safe from a vulnerable application than all of them on the same version.
The end result of this lag in patching is evident in the data and in the report, which provides you with neat-o little charts you can show the boss as you try to get your application patching initiative in the budget!
The report also asserts that zero-day exploits are on the rise, citing six examples in the past six months. All six were client-side applications, one of which, Adobe, I've commented on here in the past.
Unfortunately, the report doesn’t give us the one truly useful bit of information about the exploits, which in my opinion, would be the time that passed between the discovery of the expoit in the wild and the resulting application patch. They do cite a very old example of Microsoft being notified of an exploit by three separate parties between October 2007 and May 2008 before releasing the patch in June 2008. That’s a lag of nine months!
I suspect the more contemporary examples would show a significantly shorter gap, which may explain why the six zero-day exploits didn't really have much more of a serious impact than the known exploits on unpatched systems.
Of the zero-day observation, the report did state: "There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors."
Gee, I wonder where I could get some education to do that?
— Gideon J. Lenkey, co-founder of Ra Security Systems
This blog is part of Internet Evolution's Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
