The Channel Web (crn.com) has listed the top 5 cybersecurity risks according to TippingPoint:
“With the number of cybersecurity attacks increasing in both frequency and sophistication, many organizations are having difficulty prioritizing which threats are most dire. A report out today by network security provider TippingPoint outlines the biggest challenges facing companies trying to secure data and systems. (Qualys, the Internet Storm Center and the SANS Institute contributed to the research.)”
Not to my surprise, number one in that list is unpatched client-side 3rd party software. They are specifically pointing to Adobe Reader, QuickTime, Adobe Flash and Microsoft Office that has been proved vulnerable and exploited in great numbers over the last year.
Patching policies and processes for these applications are often lacking or in some cases absent, even in larger companies. Many senior level IT-Directors have yet to realize how serious this situation are, and every time I have a seminar that touches on this subject I get a lot of questions on it afterwards.
There are tools to automate this kind of patching, but if upper management do not understand the implications they will not provide the funding to remedy the situation.
Second on the list is using Microsoft Windows. This risk is motivated by the current situation with the Conficker worm, but they also make connections back to the older network worms Blaster and Sasser and their remaining presence. Nothing new under the sun with this… it’s a known risk. Again, patching seems to be the focus issue, and organizations need to take it seriously.
Next item, number three, is the need to patch Quicktime vulnerabilities (CVE-2009-0007, CVE-2009-0003 and CVE-2009-0957 is highlighted) as they are being exploited in a very active manner. Concern is also expressed over the fact that the same codebases are being used on multiple operating systems, thus increasing the attack surface available to the “bad guys”. This also connects back to number one, patch your 3rd party apps that can be remotely accessed.
Number 4 focuses on the fact that web applications are one of the top targets for cybercriminals today. Why? Probably because of the fact that if you hack one web application, you can use it to exploit & infect all users of that system that are carrying outdated 3rd party applications. Web applications are also the top ranking category when it comes to number of disclosed vulnerabilities over the last couple of years.
I’d hate to offend someone 
but it seems that most code written for the web is made only with one focus, to provide a feature. The security aspect seems to be forgotten or just not prioritized.
And the last one, number five, mentions the rise in zero-day vulnerabilities. That is vulnerabilities that the bad guys find first and use to exploit systems before there is a patch available. I have not seen many of these floating around but I know that the response time for these has not been good for any affected vendor. It might be a good thing to keep an eye out for and a motivation to enforce stricter content filtering at the perimeter (not that it would do you any good with mobile clients).
To summarize: 60% of their points clearly shows that even though patching has been the number one security problem to solve since Code Red, not many can handle it. Client-side vulnerabilities are the main focus, either directly or indirectly, as that’s where to good stuff are. Personal and financial data is the primary motivator for malware authors today and web-based vulnerabilities are the key.
If you do not have a process for ensuring your network-wide patch status, it’s time to get one. The tools are there.
If you are lacking funds, have a look at:
* OpenAudit – Great GPL’d software that enables you to do inventory of hardware and software (including versions installed).
* MBSA and WSUS – For regular MS Windows scanning and patching.
Cheers,
