SANS Top 20 Internet Security Vulnerabilities
NetworkWorld has the article describing the SANS Institute releasing an update to its Top 20 Internet Security Vulnerabilities. This report is typically updated every season and this is the 2006 Spring Update for the Top 20. Here are the new findings:
- Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability. This definitely shakes MacOS/X’s reputation as a bullet proof operating system. Abeit, it is still more secure than most. This is just a sign that the OS is maturing. Maybe anti-malware vendors should start releasing products for this system.
- Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software, including the WMF vulnerability and Internet Explorer flaws. MS seems to be doing a good job with securing its Windows Services. This is also primarily because Windows now comes with a host-based firewall (enabled by default) that protects these services. Most of these services (RPC services, File and Printer sharing on DSL networks) do not have any business being acccessible by the outside world anyway.
- Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer. IE continues to be insecure. What is new? Is it because it is insecure from the beginning? Or is it because of all the features and usability enhancements that are exploitable?
- Rapid growth in critical Firefox and Mozilla vulnerabilities. This growth in the number of vulernabilities is important as this could also imply increased acceptance by the market. Despite the increase in Firefox/Mozilla vulnerabilities, the Mozilla foundation and its contributors are doing a good job releasing updates and keeping their products as secure as possible.
- Surge in commodity zero-day attacks used to infiltrate systems for profit motives. Although mostly used to pushing adware (and other malware), it is not hard to imagine that these vulnerabilities are also being used for information theft and espionage.
- Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses, and backup data. I still wonder why this is high. Databases should have no business being publicly accessible using their native socket interfaces. If this data needs to be made public a user interface or web service should be provided. If it is unavoidable to use direct socket interfaces then network layer precautions should be taken.
- A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and more. This is primarily because of the additional “smarts” placed into these file formats. The moment intelligence is placed into a file then their will always be room for vulnerabilities. This is another classic convinience versus protection case.
- A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites. Phishing is a particularly hard problem as it uses social engineering (and not actual exploits) to perform information theft. The anti-malware makers will have a difficult time detecting these phishing attacks. This is now particularly true because phishers are getting smarter (and smarter) and using technologies like VoIP to improve their scams.
The main trend is the increase in zero-day vulnerabilities found in many systems. A cause for concern is that use of these zero-day vulnerabilities in exploit systems for profit. It is also presented that phishing is increasingly becoming prevalent indicating that information security practioners now have to take a better look into information security’s social side (policies, procedures, education) apart from just the technology side. It is pretty clear that preventive measures are not enough to secure modern information systems. User education and awareness programs must definitely be beefed up.
