Security Surveys Reveal Scary Stats
In its latest quarterly Web Application Security Trends Report for the first half of 2010, Cenzic reports some frightening statistics on security trends.
Perhaps most troubling for security administrators: 60 percent of Web vulnerabilities the company studied still have no fix available. Also of concern: nearly half (45 percent) of Web vulnerabilities have an exploit code that is publicly available so that hackers can easily use it in attacks of unpatched Web sites. "Making it worse, almost 1000 Web related vulnerabilities that had no known solution had a public exploit available," the report warns.
Nine out of 10 proprietary applications (those developed in-house using internal or outsourced resources) were vulnerable "with at least Information Leaks types of vulnerabilities," and eight in 10 had Authorization and Authentication vulnerabilities. Nearly seven in 10 (68 percent) had Cross Site Scripting and/or Session Management vulnerabilities.
"Some of the interesting attacks during this period included exploitation of a SQL vulnerability to plant malware on over 100,000 pages and a session vulnerability attack leading to exposure of information of over 100,000 iPad users including the White House ..." the report notes. "Among the published Web vulnerabilities in Commercial Off The Shelf (COTS) software, Cross Site Scripting and SQL Injection again topped the list with 28 percent and 20 percent respectively)."
The company says that of 4,019 vulnerabilities reported, two-thirds (66 percent) were related to Web applications (down from 82 percent of all vulnerabilities at this time last year).
In terms of browsers, Opera saw an increase in reported vulnerabilities but still has the fewest number among browsers. IE and Firefox improved; Cenzic found 40 vulnerabilities in IE compared to 44 in the second half of 2009; Firefox dropped from 77 to 59 for comparable periods. Safari more than tripled, rising from 25 to 83; Chrome problem also rose, jumping from 25 to 69.
Tough Numbers from Tufin
Tufin Technologies, which bills itself as a "security lifecycle management specialist," today released the results of its yearly Hacking Habits survey that focuses on "how trends in the hacking community impact corporate security teams." It found that nearly three-quarters (73 percent) of security professionals attending July's DEF CON 18 conference "came across a misconfigured network more than three quarters of the time – which, according to 76 percent of the sample, was the easiest IT resource to exploit."
According to a Tufin release, Reuven Harrison, the company's CTO and co-founder, was surprised to find that over half (58 percent) of respondents "also viewed network misconfiguration as being caused by IT staffers not knowing what to look for when assessing the status of their network configurations." Harrison noted that over half of survey respondents work in corporate IT. “The really big question coming out of the survey,” according to Harrison, “is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any medium-to-large sized company’s security operations."
The report found that 18 percent attribute the misconfiguration to "insufficient time or money for audits;" 14 percent lay the blame in part on "compliance audits that don’t always capture security best practices;" and 11 percent say a contributing factor is threat vectors that change faster than they can handle them.
The biggest threats may come from inside. The report found that 43 percent view "planting a rogue member of staff inside a company as one of the most successful hacking methodologies." Harrison says that "This realization is made worse when you consider that 57 percent of the security professionals we surveyed classified themselves as a black or gray hat hacker, and 68 percent ... admitted hacking just for fun."
Finally, 88 percent of respondents think an organization's biggest threat can be found inside the firewall.
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 08/31/2010