SANS Report Says Organizations Focusing On the Wrong Security Threats 98
yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."
We are just lucky I guess (Score:3, Informative)
Re:Most type of exploit is 'other' (Score:1, Informative)
Unless I am reading that wrong, the 92% is the other blue item: MS08-067 (buffer overflow).
Other is only 2%.
Though they really should have used colors that contrasted better than light and dark blue.
Re:The problem is in job responsibility (Score:5, Informative)
For commonly used applications that make the CSV lists I find the Personal Software Inspector an excellent tool.
http://secunia.com/vulnerability_scanning/personal/ [secunia.com]
Amazing how many userland applications out there have some kind of exploit against them : /
Re:OpenBSD vs Linux (Score:2, Informative)
Is the OS important when someone snarfs up your web app and all data it had access to?
Depends on how long you want to spend in doing recovery. If I have incremental copies (in addition to normal backup/DR actions) and a live copy of the DB transaction logs sitting on the local box outside of the chroot jail (and thus remain untouchable)? It is a lot easier and faster to disable the offending script (or apply the needed patch), copy over the last known good data, and be up and running - with a very short downtime.
If the OS is untrusted, you get to rebuild the entire - which means you get to reach for disk backup or VM clone (if you're lucky) or tapes (if you're not), or you're basically screwed (if you're stupid).
Corner cases naturally will change all of this, but that's the basic premise.
Re:The problem is in job responsibility (Score:3, Informative)
Cassandra [purdue.edu] is probably the best resource for that, you can build a profile of the software you use, and it will alert you when a vulnerability is fixed in that software.
Secunia of course offers commercial tools, but I've never used them, so not sure how useful they are.
http://secunia.com/advisories/business_solutions/ [secunia.com]
Also, vulnerability management/discovery software like NeXpose or Nessus also can find many similar problems, especially if you give them access credentials.
Re:Most type of exploit is 'other' (Score:3, Informative)
No, I didn't forget to read it. It wasn't there. "Microsoft OS", "Windows", these were not mentioned in the article nor in the report. Things that were mentioned were things like Flash, Acrobat Reader and Microsoft Office. I get my updates to Flash and Acrobat through apt, so I think it's pretty relevant. My office suite is also updated via apt, although it wasn't made by Microsoft.
Re:OpenBSD vs Linux (Score:3, Informative)
Today, the PHP service that got popped was running on the... PHP server. Is the OS important when someone snarfs up your web app and all data it had access to?
Yes, it's very important. To extend your analogy a little, with Microsoft all the goodies are sitting on open tables inside the big tent so a tear in the big tent generally allows complete access to all the goodies. With linux there are locked covered cubicles inside the tent that you can keep the goodies in. If the goodies are kept in the cubicles, as they should be, it's much harder to get at them even after you tear through the outside tent. With OpenBSD there are steel cubicles for the goodies.