The line of network defense shifts again

Applications dominate new top 20 vulnerabilities list

The most critical IT security vulnerabilities

For Windows systems

' Windows Services

' Internet Explorer

' Windows Libraries

' Microsoft Office and Outlook Express

' File sharing applications

' Windows configuration weaknesses

For cross-platform applications

' Backup software

' Antivirus software

' PHP-based applications

' Database software

' DNS software

' Media players

' Instant-messaging applications

' Web browsers

' Other cross-platform applications

For Unix systems

' Unix configuration weaknesses
' Mac OS X

For networking products

' Cisco IOS-based products

' Cisco non-IOS products

' Cisco devices configuration weaknesses

Criteria for vulnerabilities included in the Top 20 list

' They affect a large number of users.

' They remain unpatched on a substantial number of systems.

' They allow computers to be controlled by unauthorized users.

' Exploits are available.

See www.sans.org/top20 for details.

'There has been a 90-degree turn in the way attackers come at you. ... We're back to the Stone Age' in patching vulnerabilities.

'SANS' Alan Paller

Henrik G. de Gyor

Attackers move their targets from servers to applications

Just when administrators are getting faster at patching IT vulnerabilities, new trends in Internet attacks show that speed is not enough to protect networks.

The most recent edition of the Top 20 Vulnerabilities released by the SANS Institute of Bethesda, Md., the US-CERT and Britain's National Infrastructure Security Coordination Center shows that applications, rather than servers, increasingly are the targets of attackers.

'There has been a 90-degree turn in the way attackers come at you,' said Alan Paller, SANS' director of research. Most applications don't offer automatic patching programs, so 'we're back to the Stone Age,' in which administrators must seek out and patch vulnerabilities by hand.

'A lot of the low-hanging fruit on servers has been taken care of,' said Gerhard Eschelbeck, chief technology officer of Qualys Inc. of Redwood City, Calif. IT administrators now will have to shift their attention to patching application backup tools, antivirus software, browsers and media players.

Three years ago, Eschelbeck came up with the concept of a vulnerability half-life'the period of time it takes to patch half of the instances of a vulnerability. A study of 32 million network scans over the last year showed the half-life of vulnerabilities on external systems shrank from 21 days to 19 days in 2005. The half-life on internal systems dropped from 62 days to 48 days.

But the study also showed that 85 percent of damage from automated attacks still occurs within the first half-life of a vulnerability.

For software programs whose vendors have regularly scheduled the announcement of vulnerabilities and the release of patches, the patching process improved by 18 percent.

'A coordinated, predefined schedule improves patching behavior,' Eschelbeck said.

But few of the vendors of applications that now account for as many as 60 percent of new vulnerabilities have regular patch release programs.

The increasing speed at which exploits appear and the shifting nature of their targets make it almost impossible to keep up with the patching cycle.

'I don't think it's about how fast you patch anymore, but where you patch,' said Mike Murray, director of vulnerability and exposure research for nCircle Network Security Inc. of San Francisco.

Murray advocates focusing not just on patching mission-critical systems, but on the network paths that offer the greatest exposure to these machines.
'You have no hope of patching all of them,' he said. 'You need to understand what your network looks like and the paths the exploits can take.'

For years, software from Microsoft Corp. has offered the best fishing for researchers looking for vulnerabilities and hackers waiting to exploit them.
The Microsoft waters are certainly not fished out, but 'researchers are having more trouble finding the vulnerabilities in Microsoft, so they're branching out,' Murray said.

This means more new vulnerabilities are showing up on client applications. Applications often do not get as high a priority for patching as servers and network devices.

'The perceived risk is typically lower for client-side than for server-side' vulnerabilities, Eschelbeck said. The patching process is further slowed because of the sheer number of devices that have to be addressed to patch applications.

The speed with which vulnerabilities can be safely patched could be reaching a plateau.

When Eschelbeck first calculated vulnerability half-lives in 2003, it was 30 days for an outward-facing device. This dropped to 21 days in 2004, and Eschelbeck last year challenged administrators to bring that figure down to 10 or 15 days.

It dropped only to 19 days this year. He called for shrinking the half-life for internal devices from 62 to 40 days, but it dropped to only 48 days.
'I knew that 40 days was an ambitious goal,' he said. 'But the improvement we have made is encouraging.'

In addition to shifting their targets, attackers are continuing their trend away from high-profile, high-speed attacks in favor of more subtle, targeted attacks. NISCC director Roger Cumming blamed this on what he called a public marketplace for malicious code.

'Individuals are writing exploits largely for profit,' rather than for bragging rights, he said. 'The criminal elements are fueling the creating of this market.'
All of this means that administrators must work smarter, not just faster. Systems that cannot be safely patched before an exploit is released require layers of defense to protect them until patching is feasible.

Murray calls for a proactive mindset to address problems before they crop up.

'With every decision you make, ask yourself, How can this create risk for me and how can I mitigate that risk?' he said.

Ultimately, more secure, higher-quality software will be the answer to network security threats. A move toward this already has begun.
'There is no question that they are doing a better job' of developing software, Murray said. 'It went from a seller's market to a buyer's market,' and customers began demanding better security.

Paller cited several federal contracts in which agencies have paid a premium for secure software configurations that would not be undone by later patches. He said the federal government's $68 billion annual IT budget could go a long way toward making security the default setting in commercial software.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above