The SANS Institute report on the state of security circa 2007 is enough to make you want to pull your ethernet cord out. Is anything out there secure?
On Wednesday, the SANS Institute released its top 20 security risks update for 2007. It's pretty bleak across the board. There are client vulnerabilities in browsers, Office software (especially the Microsoft variety), email clients and media players. On the server side, Web applications are a joke, Windows Services are a big target, Unix and Mac operating systems have holes, backup software is an issue as are databases and management servers. Even anti-virus software is a target.
And assuming you button down all of those parts--good luck folks--you have policies to be implemented (rights, access, encrypted laptops etc.) just so people can elude them. Meanwhile, instant messaging, peer-to-peer programs and your VOIP system are vulnerable. The star of the security show is the infamous zero day attack (here's how to prevent them).
I'm feeling better how about you?
A few notable nuggets to ponder:
Your browser has too many friends. IE and Firefox are full of vulnerabilities. No surprise there. But part of the problem is rich Internet content--and all the plug-ins to go with it. SANs says:
With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.
Microsoft Office is under siege. We'll let this vulnerability graphic do the talking:
Enterprise 2.0 is full of holes. SANS says:
Web-based applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and Discussion Forums are used by small and large organizations. A large number of organizations also develop and maintain custom-built web applications for their businesses (indeed, in many cases, such applications are the business). Every week hundreds of vulnerabilities are reported in commercially available and open source web applications, and are actively exploited. Please note that the custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. The number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.
When it comes to security Mac and Unix operating systems are very similar. Let's hear it for reuse of hacks. "Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix," says SANS. Configuration settings are very important.
Backup software is a target. This may be news to some folks since backup software usually just gets information pushed to it. However, backup systems need access to all files. Hackers can take advantage of these access privileges to infect an enterprise system. SANS says:
During 2007 many critical backup software vulnerabilities were discovered. Since the backup software generally runs with high privileges to read all files on a system, vulnerabilities in backup software have led to severe security vulnerabilities. Some of these vulnerabilities were exploited to completely compromise systems running backup servers and/or backup clients. Attackers leveraged these flaws for enterprise-wide compromise and obtained access to the sensitive backed-up data. Exploits have been publicly posted for many of these flaws, and these vulnerabilities are often exploited in the wild.
Anti-virus software is also a weak point because it's an attractive target. Anti-virus software also happens to be installed everywhere. SANS says:
Multiple remote code execution vulnerabilities have been discovered in the anti-virus software provided by various vendors including Symantec, F-Secure, Trend Micro, McAfee, Computer Associates, ClamAV and Sophos. These vulnerabilities can be used to take a complete control of the user's system with limited or no user interaction.
Anti-virus software has also been found to be vulnerable to "evasion" attacks. By specially crafting a malicious file (for instance, an HTML file with an executable header) it may be possible to bypass anti-virus scanning. These evasion attacks can be exploited to create a vector for malware propagation, or bypass systems that would otherwise limit malware propagation.
