Hackers take '90-degree-turn' in their attacks
- By William Jackson
- Nov 22, 2005
Administrators are getting better at patching the vulnerabilities in IT systems, but new trends indicate speed is not enough to protect networks.
The most recent edition of the Top 20 Vulnerabilities released today by the SANS Institute of Bethesda, Md., the US-CERT and Britain's National Infrastructure Security Coordination Center shows that applications, rather than servers, increasingly are the targets of attackers.
'There has been a 90-degree turn in the way attackers come at you,' said Alan Paller, SANS director of research. Because most applications do not offer automatic patching programs, 'we're back to the Stone Age' in which administrators must seek out and patch vulnerabilities by hand.
'A lot of the low-hanging fruit on servers has been taken care of,' said Gerhard Eschelbeck, chief technology officer of Qualys Inc. of Redwood City, Calif. IT administrators now will have to shift their attention to patching applications, back-up tools, anti-virus software, browsers and media players.
Three years ago, Eschelbeck came up with the concept of a vulnerability half-life'the period of time it takes to patch half of the instances of a vulnerability. A study of 32 million network scans over the last year showed the half-life of vulnerabilities on external systems shrank from 21 to 19 days in 2005. The half-life on internal systems dropped from 62 days to 48.
But the study also showed that 85 percent of damage from automated attacks still occurs within the first half-life of a vulnerability.
For years, software from Microsoft Corp. has offered the best fishing for researchers looking for vulnerabilities and hackers waiting to exploit them. The Microsoft waters are certainly not fished out, but 'researchers are having more trouble finding the vulnerabilities in Microsoft, so they're branching out,' said Mike Murray, director of vulnerability and exposure research for nCircle Network Security Inc. of San Francisco.
This means that more new vulnerabilities are showing up in client-side applications. Applications often do not get as high a priority for patching as servers and network devices.
'The perceived risk is typically lower for client-side than for server-side' vulnerabilities, Eschelbeck said. The patching process is further slowed because of the sheer number of devices that have to be addressed to patch applications.
Eschelbeck was part of the team that compiled the SANS Top 20 list. In addition to the shift to applications, this year's list also includes critical vulnerabilities in the proprietary operating systems running on the routers and switches that make up network backbones.
All of this means that administrators must work smarter, not just faster. Systems that cannot be safely patched before an exploit is released require layers of defense to protect them until patching is feasible.
'With every decision you make, ask yourself, How can this create risk for me and how can I mitigate that risk?' Murray said.
William Jackson is a Maryland-based freelance writer.