Topic: Data Management

SANS Institute paints gloomy security picture

Summary: The SANS Institute report on the state of security circa 2007 is enough to make you want to pull your ethernet cord out. Is anything out there secure?

By Larry Dignan for Between the Lines | November 28, 2007 -- 09:24 GMT (01:24 PST)

Follow @ldignan

The SANS Institute report on the state of security circa 2007 is enough to make you want to pull your ethernet cord out. Is anything out there secure?

On Wednesday, the SANS Institute released its top 20 security risks update for 2007. It's pretty bleak across the board. There are client vulnerabilities in browsers, Office software (especially the Microsoft variety), email clients and media players. On the server side, Web applications are a joke, Windows Services are a big target, Unix and Mac operating systems have holes, backup software is an issue as are databases and management servers. Even anti-virus software is a target.

And assuming you button down all of those parts--good luck folks--you have policies to be implemented (rights, access, encrypted laptops etc.) just so people can elude them. Meanwhile, instant messaging, peer-to-peer programs and your VOIP system are vulnerable. The star of the security show is the infamous zero day attack (here's how to prevent them).

I'm feeling better how about you?

A few notable nuggets to ponder:

Your browser has too many friends. IE and Firefox are full of vulnerabilities. No surprise there. But part of the problem is rich Internet content--and all the plug-ins to go with it. SANs says:

With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.

Microsoft Office is under siege. We'll let this vulnerability graphic do the talking:

Enterprise 2.0 is full of holes. SANS says:

Web-based applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and Discussion Forums are used by small and large organizations. A large number of organizations also develop and maintain custom-built web applications for their businesses (indeed, in many cases, such applications are the business). Every week hundreds of vulnerabilities are reported in commercially available and open source web applications, and are actively exploited. Please note that the custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. The number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.

When it comes to security Mac and Unix operating systems are very similar. Let's hear it for reuse of hacks. "Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix," says SANS. Configuration settings are very important.

Backup software is a target. This may be news to some folks since backup software usually just gets information pushed to it. However, backup systems need access to all files. Hackers can take advantage of these access privileges to infect an enterprise system. SANS says:

During 2007 many critical backup software vulnerabilities were discovered. Since the backup software generally runs with high privileges to read all files on a system, vulnerabilities in backup software have led to severe security vulnerabilities. Some of these vulnerabilities were exploited to completely compromise systems running backup servers and/or backup clients. Attackers leveraged these flaws for enterprise-wide compromise and obtained access to the sensitive backed-up data. Exploits have been publicly posted for many of these flaws, and these vulnerabilities are often exploited in the wild.

Anti-virus software is also a weak point because it's an attractive target. Anti-virus software also happens to be installed everywhere. SANS says:

Multiple remote code execution vulnerabilities have been discovered in the anti-virus software provided by various vendors including Symantec, F-Secure, Trend Micro, McAfee, Computer Associates, ClamAV and Sophos. These vulnerabilities can be used to take a complete control of the user's system with limited or no user interaction.

Anti-virus software has also been found to be vulnerable to "evasion" attacks. By specially crafting a malicious file (for instance, an HTML file with an executable header) it may be possible to bypass anti-virus scanning. These evasion attacks can be exploited to create a vector for malware propagation, or bypass systems that would otherwise limit malware propagation.

Comforting. Where's that Ethernet jack again?

Topics: Data Management, Microsoft, Security, Software, Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments

Log in or register to join the discussion

My suggestion - shut down the internet

Is there anyone willing to do that ? Well, I didin't think so. So stop whining, and take care of your turf. Accept that we're not at a point where we have a world police, but we are at a point where we have a global village. And this village is free for all and it's inside your house every time you push that "power" button on your computer front - BTW, it's there with you also when your cell phone is on.
Now, we tend to consider ourselves streetwise on the villages we live on, and know how to deal with most situations in our own towns. Folks, the internet is a village where you live. Lear to deal with it. SANs did nothing more than state the obvious - big cities are not safe, and the police won't save you in time.

If you think this situation will change, I've got a really nice patch of land to sell you. on the north of Africa, inthe middle of the Sahara desert - but believe me, it's a bargain.

bobbruno
28 November, 2007 20:15

Reply Vote
- Conveinience = Risk
  
  Face it. I've always told this to my clients. If you are going to have convienience, you are going to have elevated risk. Complete and total security is completely and totaly inconvienient. You want instant access to information, you get instant access to yourself.
  
  There is no difference between the terrorist threat and the hacker threat. And the solution is not raising the security level, and reducing the freedom/convienience. How many security checkpoints do you want to go through in order to fly to LA or purchace a phone online? The more you reduce the risk, the more inconveineint the activity becomes.
  
  Freedom is not free. To have it, to hold it, one must have the backbone to deal with it's insecurities.
  The Internet, like the U.S.A., requires of us a willingness to face the inevitable consequences of freedom. There will always be people with bad intent anywhere there is freedom for all. I lock my house, set my alarm, and bolt my doors because my security is my responsability. The day it is no longer my responcibility is the day I no longer have any freedom of my own.
  
  I don't want to make that trade. I'm willing to bet that most people would not want to make that trade.
  
  Deefburger
  29 November, 2007 07:07
  
  Reply Vote
Internet Security, the great misnomer!

There have been a number of new vectors of attack, but the problem is reminecent of something from the 1989 Batman movie. The Joker made a toxin, he called it 'smilie', that he added to heath and beauty products in a special way. The products by themselves were fine, but if you used more than one in the right (or wrong) combination, smilie. Deodorant is fine, but deodorant and soap... toxic smilie.

So consider IE7 on it own is fine, but IE7 with any ActiveX control add-on, smilie!

OR

More along the lines with the columist fears.. Windows XP is fine, but XP and an active ethernet connection, smilie.

PokeyJoe
29 November, 2007 05:38

Reply Vote
Internet Security

We need to reform the Internet so that attacks can be more easily traced. We also need to lock down ports, so that noone can attack you on some odd port, like 1280, for example. Along the lines of Internet control, definitely NOT hand control of the internet over to the UN. You think the internet is full of security holes now, wait til the UN gets a hold of it...

Carrion
29 November, 2007 09:11

Reply Vote
Eliminate MS Windows

If malware programmers choose not to target anything but Microsoft products, stop using Microsoft products.

epcraig
29 November, 2007 14:35

Reply Vote
RE: SANS Institute paints gloomy security picture

I am glad he points out the problem with "rich content". I always knew "rich content" would be trouble. But people who love form over substance have been driving the "rich content revolution" for years. And like all revolutions, now it is backfiring.

How did I know it would be trouble? Because it bypasses the browser completely, opening up its own can of worms, multiplying the possibilities for security holes. Not to mention it provides so little other than pure fluff.

mejohnsn
29 November, 2007 19:17

Reply Vote
RE: SANS Institute paints gloomy security picture

Joe and Sally Sixpack, who never see a website they don't like, never fail to open suspicious email, download porn from Russian websites on the sly, haven't bothered to renew their McAfee anti-virus subscription since the day the demo vesion expired because they "thought" it was a life-time deal, wonder why their PC is so slow. The other Windows users, the ones who "think" they are secure even though they KNOW that Microsoft keeps secret known vulnerabilities until IT decides, if ever, to patch them, practice good computing habits and have half the chance of getting infected as Joe and Sally do.

This article is written about them and the OS they chose to use. ZDNet's bread is buttered by Microsoft so it will not take an editorial stand and say the obvious: "Nearly 100% of all infected PC are running an operating systems sold by a single manufacturer, Microsoft."

Linux is not susceptible to email's infections or trojans UNLESS the user takes an [B]active roll[/B] in saving, changing permissions, and running the malware. While stores frequently fill the papers of hundreds of thousands of Windows boxes getting infected or becoming part of a bot farm, similar stories about Linux are exceedingly rare. The most reliably way for a Linux box to get infected is by manually hacking into it, a risky procedure. You can't build 50,000 PC bot farms one at a time. That is why the ones that are hacked into, usually because the user runs as root, are used at controllers for the 50,000 owned Windows boxes.

Personally, I've been using Linux for 9 years and I've yet to see an infective Linux virus or a successful hack on my box. No one at the local LUG has heard of any, either. Nor have any of the newbies and former newbies on whose PCs I've installed Linux. It seems to me that if they exist they exist only in the threats of software houses selling anti-virus software for Linux, hoping to use fear to create a Linux market after Microsoft stole their Window market.

GreyGeek
29 November, 2007 20:16

Reply Vote
It is a matter of education

If anyone is surprised by the SANS report - think about the US in the 1980s...when (real, physical) crime had threatened peaceful social existence. Without going into the sociological details - this is a social cycle which is result of the co-existence good and (pardon the word) evil forces under the same governing structure. Today - the internet can be viewed as a parallel social (and economic) structure...and one that is developing in real time, unlike the physical world. How did we get out of the 80s? Through realization, enforcement and education. People today are far wiser than they were back then and know how to mitigate the risk of physical threat. They are trained to do this.

This makes me believe that Internet Security will also be realized (again at a much faster pace) as people are educated. This needs to happen at both enterprise and grassroots levels. People need to be told that internet threats are as dangerous and malicious as physical threats...and that discipline and alertness will go a long way in dissuading cyber-villians.

As long as Internet Security remains the domain of IT folks and Hackers - innocent folks and users will continue to second-guess what the SANS report (or ZD Net blogs) are talking about...and the threat will not abate.

virarfast
30 November, 2007 00:13

Reply Vote
RE: SANS Institute paints gloomy security picture

Sorry, didn't get response..
The computer model is bad!
Now I will let you figure it out since I am tired of typing.
D.

moses_z
1 December, 2007 11:05

Reply Vote
Bugs are to be expected

Since software is made by humans it is not possible to expect that software be bug free, as long as caution is exercised by the end user and good security practices are applied one can have a pretty secure computing experience despite whatever bugs may still remain unpatched.

- John Musbach

John Musbach
5 December, 2007 21:42

Reply Vote