A new security research report shows that cyber-criminals are developing more sophisticated attacks on computer networks. The most vulnerable targets are Web-based software applications. "The Top Cyber Security Risks Report" recommends that networks adopt a "smartphone model," such as on Apple's iPhone, where only vetted and secure executable code is allowed, adopt stronger configuration management practices, be careful about adopting Web-based apps, as that's where most of the new attacks occur, and educate Web app developers about security needs. The report was compiled using data from TippingPoint, Qualys and the System Administration, Networking and Security (SANS) Institute.
None of the report's conclusions will surprise those involved with information security, but it serves to remind businesses that they will continue to face persistent and well-designed threats. The report outlines four key security risks: the increased consumerization of enterprise computing, the prolonged and persistent targeting of Web applications, the increased organization and sophistication of attackers and the continuing presence of legacy threats.
"People continue to move more content onto the Web and present a greater attack surface on the Web," says Mike Dausin, manager of advanced security intelligence for HP TippingPoint's DVLabs, one of the contributors to the report. "That's one of the ways that companies really put themselves out there." Consumer-oriented technologies that are adopted by employees for work are one example. Although social networking sites such as Facebook, Twitter and iTunes can be effectively used by companies for marketing purposes, Dausin says they also open the door to a multitude of security risks. It's not just social networking sites; all sorts of Web applications can pose a risk. Increasingly, companies are subscribing to SaaS offerings where applications are accessed through a Web browser instead of from an internal server. As the volume of Web applications increases, that's where the cyber-criminals go to find new targets, according to the report.
Qualys, which monitors enterprise networks for vulnerabilities, has found that the volume of attacks via third-party software applications has increased while the number of attacks on computer operating systems has declined, says Wolfgang Kandek, chief technology officer of Qualys. Unfortunately, many companies haven't responded to this change in attack patterns. Organizations are quick to patch vulnerabilities in the Microsoft Windows OS but slow to patch vulnerabilities in third party software such as Adobe Reader. Qualys research shows that 50 percent of Windows machines are patched within 15 days on average, but it takes 60 days for an Adobe Reader patch to reach that same mark.
The report also notes the increasing sophistication of cyber-criminals who create malicious code used to attack computer systems. "We have seen increases in techniques all the time, but it definitely surprised us how far they've come in just the last year," says TippingPoint's Dausin. The code is much cleaner than it has been in the past, and researchers have come across new versions of malicious code that are actually accompanied by release notes, which has previously only been a feature of legitimate software releases.