This will come as no big surprise to most of us, but the threat model for cybersecuriy has shifted considerably in the past couple years. Believe it or not, operating system security has gotten better. The number of vulnerabilities is down, and more people are getting automatic updates and keeping their operating systems patched. This is the good news. By far the most common threats exploiting Windows vulnerabilities are variants of the Conficker / Downadup virus, which exploits a hole patched almost a year ago. Unfortunately, there are still lots of un-patched systems left to infect. Amazingly, Sasser and Blaster, those worms of old from 2003 an 2004 are still infecting unpatched systems!
Now for the bad news – the attacks have shifted to applications and web vulnerabilities. Applications that are exposed to the web, such as browser plugins like flash, and applications that open files that are commonly downloaded from the web, such as Quicktime and Acrobat Reader, have been a common source of infection. Most users and organizations are less likely to keep these applications up to date because they do not understand the risks.
Worse yet – websites are positively under siege. Password guessing attacks have become more prevalent, as have web application attacks, such as SQL injection attacks, PHP include attacks, and cross-site scripting attacks. Recently, many users with unpatched browsers were infected by simply visiting major commercial websites that were displaying malicious banner ads.
The final, an most disturbing, piece of bad news – social engineering, phishing, and spear phishing attacks are on the rise and have become even more sophisticated.
What do we do to help protect ourselves and our clients? First, check for unpatched applications in addition to checking for OS patches. We have discussed Secunia PSI in past Security Corner articles, but I want to do another article on it soon – it is a great tool for finding unpatched applications running on systems. Second, educate, educate, and then educate some more. Remind clients at every opportunity that the weakest link is always the users. We don’t want to be fear mongers or make people paranoid, but everyone must be aware and vigilant. Finally, web facing services MUST use strong passwords – this is the best defense against brute-force password guessing attacks.
Over the next couple of months, the Nerds On Site Security Team will be rolling out a number of services and tools to help you in this battle, including external and internal vulnerability scanning, regular port scanning for routers and gateways, intrusion detection and prevention, security policy creation and review, endpoint security, full-scale penetration testing, and user-awareness training.
If you have an interest in the changing security landscape, take a few minutes to look over the latest report from SANS. it covers the period from September 2008 to August 2009.
Dennis H in West Virginia, US
October 3, 2009
5 years ago I told nerds that we needed to brace for 6 months of a cyber crime spree and protect clients that choose to be protected. Little did I know that 5 years later, we...