Just when patching showed progress against the worst security threats, cybercriminals shift their focus.
Cybercriminals have had it with the limelight. With the law onto them, they've mostly abandoned self-aggrandizing vandalism to concentrate on more clandestine concerns: making money off someone else's data. And to do that, they're now attacking applications rather than operating systems.
A report on the 20 most-critical Internet security vulnerabilities for 2005, released last week by the SANS Institute in conjunction with government representatives from the United States and the United Kingdom, shows an unsettling shift. While most hacking between 1999 and 2004 targeted operating systems and Internet services on Web servers and E-mail servers, that changed this past year. Now, applications and network devices' operating systems have become the primary targets.
For businesses, solving that problem is much tougher than just keeping up to date on Microsoft patches. Many of the new targets don't have systems for automated patches, and companies may not have the same processes and relationships with vendors to fix problems swiftly. And since the goal of these attacks isn't to spread mass infection like an "I Love You" worm, and instead is to steal information and money, they can go unnoticed.
"Security has been set back nearly six years in the past 18 months," says Alan Paller, director of research for the SANS Institute, via E-mail. SANS, a nonprofit research and training organization, has been compiling a top 20 list since 2000.
The applications under fire span the range of software programs a business might use and run on a variety of operating systems. They include enterprise backup software, the PHP scripting language, databases, peer-to-peer file sharing, Domain Name System server software, media players, instant-messaging applications, and Internet browsers. Even antivirus software makes the list, with vulnerabilities in security software from CA, ClamAV, F-Secure, McAfee, Sophos, Symantec, and Trend Micro, among others, raising the possibility of attackers taking over users' systems by using the software that's intended to protect them.
The second major finding of the report is that vulnerabilities in network operating systems, including Cisco's Internetwork Operating System, which SANS says runs some 85% of the routers and switches on the Internet backbone, represent a significant threat. Cisco acknowledged weaknesses in its operating system earlier this year, when it issued a security advisory for a serious IOS "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. Cisco responded quickly, and no such attack has been reported. But even the possibility of such a network hijacking was an eye-opener for network administrators.
Microsoft deserves some credit for the shift, since one reason crooks are moving on to other applications is that Windows has become less vulnerable (though it remains on SAN's top 20 list). Microsoft admitted it had a major security problem and set out to improve its code. That has led to fewer automated worm attacks, for example, because they aren't as effective, thanks to changes in Windows XP SP2, Windows Server 2003, Office 2003, and Outlook. "It's far more difficult for hackers to try to embed malicious images or to try to conduct malicious attacks through E-mail," says Stephen Toulouse, security program manager at Microsoft's Security Response Center.
Those who manage computers get some credit, too, for being more diligent about patching. But with applications and other types of software becoming prime targets, it raises questions about the readiness of vendors and users alike. "Certainly application patching is much more painful than it needs to be," says Don Westlight, network engineering manager at Oregon Health & Science University. Patching Microsoft products and the "generic desktop" has gotten easier, thanks to better patch-management tools, Westlight says. Other systems, many of which hold the most-critical data, are another story. "Legacy software is a much bigger problem, and it's much weaker," Westlight says. And not all patching is effective. Java patches, he says, can cause unexpected behavior in applications if they depend on specific versions of Java.
Data Backup Risks
One of the SANS report's most-worrisome findings for business managers is the vulnerability of data-backup software, because such software, if it can be breached, provides something akin to one-stop shopping for critical corporate data. "An attacker can leverage these flaws for an enterprisewide compromise and obtain access to the sensitive backed-up data," the report concludes, noting that exploits for many of the vulnerabilities have spread via Internet postings and are in use.
Software vendors say they're addressing these risks. Symantec, which sells its Veritas data-backup software as well as antivirus and other security software, issued a written statement explaining its security processes. They include pushing some patches automatically to customers and sending E-mail security alerts. CA also responded with a written statement: "CA tests its software for security flaws before release and vigilantly tracks activity in the field in order to respond to the first sign that a vulnerability has been discovered."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.