Two risks dwarf all others, but organizations fail to mitigate them.
Featuring attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis and tutorial by the Internet Storm Center and key SANS faculty members.
Throughout the developed world, governments, defense industries, and companies in finance, power, and telecommunications are increasingly targeted by overlapping surges of cyber attacks from criminals and nation-states seeking economic or military advantage. The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. Exacerbating the problem is that most organizations do not have an Internet-wide view of the attacks.
This report uses current data – covering March 2009 to August 2009 – from appliances and software in thousands of targeted organizations to provide a reliable portrait of the attacks being launched and the vulnerabilities they exploit. The report’s purpose is to document existing and emerging threats that pose significant risk to networks and the critical information that is generated, processed, transmitted, and stored on those networks. This report summarizes vulnerability and attack trends, focusing on those threats that have the greatest potential to negatively impact your network and your business. It identifies key elements that enable these threats and associates these key elements with security controls that can mitigate your risk.
The report’s target audience is major organizations that want to ensure their defenses are up-to-date and are tuned to respond to today’s newest attacks and to the most pressing vulnerabilities. Data on actual attacks comes from in trusion prevention appliances deployed by TippingPoint that protect more than 6,000 companies and government agencies. Data on vulnerabilities that remain unpatched comes from appliances and software deployed by Qualys that monitor vulnerabilities and configuration errors in more than 9,000,000 systems, scanned more than 100,000,000 times so far in 2009. The patterns in the data are vetted by the senior staff at the Internet Storm Center and by the faculty of the SANS Institute responsible for SANS programs in hacker exploits, penetration testing, and forensics. In other words, these findings reflect a fusion of data and experience never before brought together.
The report also includes a pictorial description/tutorial on how some of the most damaging current attacks actually work. One of the most important findings in cybersecurity over the past several years has been the understanding most often asserted by White House officials that “offense must inform defense.” Only people who understand how attacks are carried out can be expected to be effective defenders. The tutorial shows what actually happened in a very damaging attack and is excerpted from Ed Skoudis’ SANS Hacker Exploits and Incident Handling class. It is included to boost defenders’ understanding of current attack techniques.
The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James King of TippingPoint with assistance from Wolfgang Kandek of Qualys, Johannes Ullrich of the Internet Storm Center, and Ed Skoudis and Rob Lee of the SANS Institute faculty.
Priority One: Client-side software that remains unpatched.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites. (See Priority Two below for how they compromise the web sites). Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software. The victims’ infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation. On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.
Priority Two: Internet-facing web sites that are vulnerable.
Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.
Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.
Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period. Even so, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90% of attacks seen against the Windows operating system.
Rising numbers of zero-day vulnerabilities
World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years. There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks. A large decline in the number of “PHP File Include” attacks appears to reflect improved processes used by application developers, system administrators, and other security professionals.
Application Vulnerabilities Exceed OS Vulnerabilities
During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most “popular” applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.
Figure 1: Number of Vulnerabilities in Network, OS and Applications
Web Application Attacks
There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites.
Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.
Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Apple: QuickTime and Six More
Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems. The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957
Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months)
- Language Translations
- Portuguese (PDF)
Check Them Out!
The Best Information Security conference I have attended yet.
-Chris Bimson, Compass Systems, Inc.