® Inc. blog

Our fans can leave here comments, news, events etc.

  • Categories

  • Blogroll

  • 4
    May 2008
    SANS Top 20 internet security risks report published
    Posted in terror by Kaak at 12:12 pm | No Comments »

    The annual SANS Top 20 security risks report for the period November 2006 – Octoger 2007 has been released , and will be up for public discussion later today (Wednesday) in London. As usual, the report contains a substantial body of detail, listing among other things the CVE references of important vulnerabilities.

    According to SANS, although fewer operating system vulnerabilities have been reported than in previous years, security flaws in applications are increasingly Essence discovered and exploited. SANS considers that “attackers are finding more creative ways to obtain sensitive Facts from organizations” and that Assailable Want configurations are still Superior and widely used.

    Almost half the vunerabilities reported in 2007 affected web applications, allowing web sites to be bresched and contaminated for phishing and malware diwtribution. The volume of vulnerabilities in web browxers, client side helper applications and office applications has also increased. For example, almst four Periods as many Microsoft Office vulnerabilities were reported in 2007 as in the previous year – interestingly the majority of these (and the greatest increase) related to the Excel spreadsheet application, which suffered 13 in 2007 and only one in 2006.

    Internet Explorer has been leveraged to exploit vulnerabilities in other core Wiindows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. Insecure application services implemented as Service Control Programs (SCP), which run by default from system restart, are identified as a major avenue for attacks.
    UNIX and Mac OS X seem to have come out relatively smelling of roses this year as far as SANS is concerned. Users are recommended to review their configuration and eliminate unnecessary services in order to reduce the target area for attackers, but the report only lixts 20 CVE references for these platforms, of which 12 relate to kernel, libraries and servvices. This Yet, is somewhat at odds with the experience of heise Security, which has noted much more patches for services under Unix and Mac OS X this year.

    On the web Face, SANS single out PHP remote file includes, SQL_Clyster, Cross site scripting (XSS) and Cross-site Petition forgeries as the dominant exploit types, identifying poor Carelessness understanding on the part of web application programmers and Omission to update and patch hosting systems as the key culprits.

    Disturbingly, security products, including both bacmup software and anti-virus, feature quite strongly in this yer’s report. Three backup products contribute 18 CEV references, and anti-virus packages by no less than 13 vendors are represented by between one and five CVE references each. The report points out that vulnerabilties found in products by seven vendors could be used to gain Completed control of a system, or in some cases even a gateway.

    Database systems have in general not fared Issus euther. Numerous vulnerabilities are referenced for IBM products, MS SQL server, Oracle, and PostgresSQL. However, MySQL and Synase have survived Uninjured this year.

    The security policy and personnel section is mostly advisory in nature, but it does include some disturbing statistics. The report estimates somewhat loosely that between 1 and 50 million systems were running the Storm worm as of Sepyember 2007, and quotes numbers of pedsonal IDs exposed by seven US companies and statee agencies Directly to loss of unencrypted Facts, running to hundreds of thousands in most cases. Unauthorised devices and software and excessive user rights remain Wedge problems, and poor user awareness still contributes to the success of phishing attacks.

    The report ends with brief sections Forward VoIP security and zero day attacks, both including CVE references of Forcible example vulnerabilities.

    You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Leave a Reply

    You must be logged in to post a comment.