Buggy Web Apps And Carelessness Top 2007 SANS Threat ListBuggy Web Apps And Carelessness Top 2007 SANS Threat List

To defeat advances in systems and network security, cybercriminals and cyberspies have at least two ways to bypass firewalls and other security measures: shoddily coded Web applications and gullible users.

The 2007 SANS Top 20, a list of the year's most significant security risks, cites these two issues as the most pressing problems facing computer security professionals today. The list -- which actually includes only 18 items this year -- is compiled by the SANS Institute in conjunction with 43 security experts from government, industry, and academia.

Alan Paller, research director for the SANS Institute, said that Web application vulnerabilities represent the fastest growing threat category.

"The applications are the things that people write as Web applications, that make their corporations come alive internally or externally," said Paller. "They're all written by people who learned to code without the sense that bad guys might be able to use their code."

According to Rohit Dhamankar, senior manager of security research for Tipping Point, half of the security vulnerabilities reported in 2007 are in Web applications.

But attacks that take advantage of people account for 90% of the damage done to organizations, Paller said. "You fool people into running something on their computer and then they become a backdoor into the system," he explained.

Indeed, spear phishing -- targeting specific individuals with phishing messages tailored to their interests -- has proven to be successful enough that a new sub-variant has emerged. Paller refers to it as "whaling" -- targeting executives or other high-value individuals with a spear phishing message. A phishing message that purports to be from the U.S. Equal Employment Opportunity Commission, one the agency warned about in October, represents one example of "whaling."

More than 90% of the serious breaches in which sensitive information is taken from government agencies involve spear phishing, said Paller. He recounted an incident in which the chief information security officer of a sensitive federal agency discovered that his computer was sending information to China. The official had been the target of spear phishing. "Even the people who are responsible for security aren't secure," said Paller.

Taking up four spots on the list are critical vulnerabilities in client-side software, specifically in Web browsers, Office software, e-mail clients, and media players. "We have seen a huge jump in the vulnerabilities in Microsoft Office products, especially Excel," said Amol Sarwate, manager of vulnerability labs at Qualys, in a media conference call. According to Qualys data, there was a 300% growth in Microsoft Office vulnerabilities from 2006 to 2007, primarily in new Excel vulnerabilities.

While Sarwate conceded that many of these issues affect older versions of Microsoft Office still in use by many companies, like Office 2000, he maintained that Office 2007 has its share of problems. "What we see the most is people have not yet upgraded to 2007," he said. "But we do see vulnerabilities to Office 2007."

Eight of the vulnerabilities in Microsoft Office so far this year were zero-day vulnerabilities, meaning that information about the vulnerabilities became publicly known before a fix was available.

Microsoft recently released documentation that explains how to configure Microsoft Office more securely.

Other applications cited for security issues include Microsoft Internet Explorer, Microsoft Outlook, Mozilla Firefox, Apple Mail, Thunderbird, Windows Media Player, RealPlayer, Apple QuickTime, Adobe Flash Player, and Apple iTunes.

The next seven slots on the SANS list go to various forms of server-side software. This category includes Web applications such as content management systems, wikis, portals, bulletin boards, and discussion forums.

"Every week hundreds of vulnerabilities are reported in commercially available and open source Web applications, and are actively exploited," SANS warns. "Please note that the custom-built Web applications are also attacked and exploited, even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE, or BugTraq. The number of attempted attacks for some of the large Web hosting farms range from hundreds of thousands to even millions every day."

The category also includes Windows services, Unix, and Mac OS X services, backup software, antivirus software, management servers, and database software.

Under the heading of security policy and personnel, count excessive user rights/unauthorized devices, and unencrypted laptops/removable media as two trouble spots (in addition to gullible users). Under the heading of application abuse, instant messaging and peer-to-peer file sharing applications each get a nod. And rounding out the list are flaws in VoIP servers and zero-day attacks.

"The bad guys have perfected their business model," said Ed Skoudis, founder of Intelguardians Network Intelligence and a SANS course director on hacking. "They're making money from their malware code, which gives them an incentive to innovate."