Most organizations are stuck in the past, applying a disproportionate amount of focus on patching operating systems than on systems posing the greatest risk, according to a report released Tuesday by the SANS Institute.
Findings of the study
, titled "Top Cyber Security Risks," were based on six months of data compiled this year by intrusion prevention provider TippingPoint and vulnerability management firm Qualys. The report found that most organizations are overlooking the parts of their networks most susceptible to attack: vulnerable client-side applications, such as Adobe Reader
, Microsoft Office
and Apple QuickTime
, and internet facing websites.
But that is a big mistake. Rob Lee, a digital investigations expert who works at Mandiant, said Tuesday on a conference call that all of intrusions his company now investigates -- about 40 large-scale breaches per year -- either are perpetrated by a client-side exploit launched through a spear phishing
email or through an SQL injection attack, in which hackers exploit a vulnerability on a company's public-facing website.
"Every single one is related to a vulnerability that is highlighted in this report," Lee said. "The attackers are extremely organized in their methodology. They know what they're doing. There is a big payoff as a result. And they're quite good."
The 16-page report concluded that, aside from the Conficker
worm outbreak, no other major OS-related malware resulted in in-the-wild outbreaks this year. Instead, the threat landscape has been dominated by web application attacks, which make up about 60 percent of intrusion attempts, and client-side attacks, which often prove successful because end-users trust commonly used file formats such as PDF.
"Applications that are widely installed on customer desktops are not being patched in the same speed as operating systems," said Wolfgang Kandek, CTO of Qualys.
Ed Skoudis, co-founder and senior security analyst at InGuardians, said organizations are failing to keep up with the times due to the overwhelming effort they had to put forth to build a robust process for patching operating systems. Plus, they are basing their patching priorities on outdated metrics.
"They're still fighting the battles of five and 10 years ago," Skoudis said. "When we talk to these organizations, they're still celebrating their successes at being able to patch the underlying operating systems."
Meanwhile, he said many organizations assume that infected endpoint machines can be contained. But that is faulty thinking.
"Once the client gets exploited, the attacker pivots through the organization," Skoudis said. "The attackers will bounce to internal network servers and that's when you have a full-scale breach. That's when you have a real problem."
He said administrators must switch their focus to patching client machines and limiting the privileges of end-users so they are unable to run certain malware. As for protecting themselves on the web application site, businesses should consider web application firewalls as a quick fix and secure coding practices for a longer-term solution.
Rohit Dhamankar, director of security research at TippingPoint, said applying remedies to these risks is more important than ever before because bugs are being discovered in greater number.
"The skill set of people discovering vulnerabilities now is sharper than ever," he said. "We often see duplicate submissions from people who find the exact same vulnerability in different fashions."
Alan Paller, director of research for the SANS Institute, said he hopes this study raises awareness within the industry by providing hard numbers.
"This is an actual triumph of a report," he said. "For the first time, they've taken the cover off the attack and vulnerability patching space."