With the release of an updated Top 20 Internet Security Vulnerabilities report, SANS said a significant percentage of attack vectors have moved from operating systems to applications and that administrators need to be aware of this fact.
“We are seeing a trend to exploit not only Windows, but other vendor programs installed on large numbers of systems,” says Rohit Dhamankar, lead security architect at 3Com’s TippingPoint division and leader of SANS' Top 20 effort. “These include backup software, anti-virus software, database software and even media players. Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network.”
SANS director of research, Alan Paller, pointed out that backup applications are being attacked in an automated fashion and that attack patterns indicate a large number of attacks aimed at backup applications.
According to SANS' research the patching cycle for external Internet-facing systems is about 19 days, where the cycle for internal systems is 48 days. This lag time creates a problem for companies because they could remain vulnerable to attack during some part of the cycles.
Compounding the problems already faced by companies is the growing market for exploits. Roger Cummings, director of the UK's National Infrastructure Security Coordination Centre, said that the marketplace for exploits expanding although he isn't sure how fast or how large it has become. Profit is one obvious motive for marketing exploits and in some cases result in extortion attempts. Paller added that according to his information the FBI receives one new cyber extorsion case every day, which represents an increase as compared to previous years.
The SANS Top 20 Internet Security Vulnerabilities report has been published since 2000. The new report lists dozens of critical vulnerabilities and administrators should consider reviewing the new report to ensure they've taken adequate steps to defend against possible intrusion.
"We’re publishing \[Top 20 Internet Security Vulnerabilities\] as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected," said Paller.
You can review the updated report online at the SANS Web site.