Security Pros Are Focused on the Wrong Threats

The New York Times reported last week that corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.

That finding comes from a new biannual report from the SANS Institute, whose senior staff weighed two sets of data that have not been rigorously compared to date: data on the most common attacks hitting corporate networks and data on which vulnerabilities are most prevalent on company networks.

From the article:

Looking at the two sets of data together revealed immense shifts in what is getting the attention of today’s hackers. “The bottom line: Two cyber-risks dwarf all others, and users are not effectively mitigating them — preferring to invest in mitigating less critical risks,” said Alan Paller, director of research at SANS.

The less critical risks are flaws in the Windows operating system. While these bugs were the No. 1 problem for everyone on the Internet not long ago, times have changed. Thanks to significant security improvements by Microsoft, automated tools for applying its patches and generally good habits within organizations, the operating system is now much harder to hit. As such, hacker interest has waned. Only one major worm, Conficker, circulated in the first half of the year. Attacks on the operating system accounted for only about 30 percent of the total volume of attack activity on the Internet, and, thanks to patching, probably weren’t very successful, says Rohit Dhamankar, director of TippingPoint’s DVLabs.

But on the rise are quiet attacks on desktop programs, such as Microsoft’s Office, Adobe’s Flash Player and Acrobat programs, Java applications, and Apple’s QuickTime program. Attacks on these programs currently account for about 10 percent of attack volume, up from zero three or four years ago. And they are likely to be far more successful, since more than 90 percent of corporate computers are using old, unsecure versions of these programs, according to Qualys. Unaware of the importance of updating them or overwhelmed with the scope of the job, IT security staffers on average take twice as long to patch this software compared with the operating system.

“Attackers are very opportunistic. They will work with the easiest-to-use vulnerability that will give them the biggest return,” said Wolfgang Kandek, Qualys’s chief technology officer.

Which is also why attacks on company Web sites have skyrocketed. Mr. Dhamankar said a “staggering” 60 percent of attack activity was now directed at trying to hack Web sites, often by targeting “SQL injection” and “Cross-Site Scripting” flaws in open-source and custom-built Web applications, which currently account for more than 80 percent of the new vulnerabilities being discovered.

The last paragraph, is a good reminder why proxies are important not only in web access for end-users, but for protecting corporate websites in a reverse proxy scenario as well. With attacks coming from the web and attacks on outward facing websites on the increase, proxies are more important than ever in the security framework of any organization.