Symantec Report Highlights Web Security Struggle

To reverse the rise of Web-application vulnerabilities, enterprises must patch more than just their operating systems.

Best practices have increased stability and security to servers and networks, but according to the latest Internet Security Threat Report, enterprises still wrestle with increasing Web services and Web application attacks. The Symantec report shows Web application vulnerabilities are on the rise, and if enterprises are to reverse the trend, they need to patch more than just their operating systems.

“The Web application is the easiest and most exploitable vulnerability out there,” says Kelly Martin, group product manager with Symantec Security Response.

The six-month report, which covered January 1 through June 30, 2006, shows that Web applications account for 70 percent of all vulnerabilities. The vendor-neutral study collected data from more than 40,000 sensors among 180 countries. The report cited 2,249 new vulnerabilities, up 18 percent from its last reporting cycle. More important, the report explains the ever-changing environment of a hacker.

“One of the biggest things to note is hackers used to really focus on the perimeter,” Martin says. “But now these hackers are targeting the end client and remote user. That end user is the weakest link.”

Since Web apps have a speedier release cycle than server or desktop applications, they are more susceptible to an attack. Historically, enterprises have not held Web applications under the same level of security scrutiny as they have with other applications. This, warns Symantec, needs to change. Attacks can result in disrupted connectivity, reputation damage, revenue loss, and monetary extortion. The report also says hackers are honing in on end users and financial institutions because their attacks are motivated strictly by monetary gain, often through identity theft or fraud.

According to a Symantec statement, “Attacks often seek to disclose information that has some value to the attacker, such as personal information that can be used for the purpose of identity theft or fraud. In the enterprise environment, such targeted threats could be used to gain unauthorized access to privileged, propriety information, thereby threatening the intellectual property of the organization.”

What to Patch

Martin says enterprises need to patch more than their operating systems. All enterprise software should be patch protected. They should also use the latest firewalls as well as malware and spyware protection. Enterprises need Web browser protection, since the report shows all browsers remain vulnerable.

While Mozilla has the most vulnerabilities, according to the report, Internet Explorer remains the most attacked browser, reflecting 47 percent of all browser attacks, but vulnerabilities are on the rise in Apple’s Safari, too. Martin says no Web browser is safe in today’s security climate.

“It’s also important for the enterprise to educate the end user,” Martin says, citing an alarming rise in phishing attacks.

The Symantec study shows that phishing increased 81 percent over the last six months. Worms and mass e-mails are the most common form of malicious code—code that Martin says is growing more sophisticated, more “silent,” more “stealth,” and is able to penetrate encrypted technologies. Viruses are more diverse in 2006, a year that has seen the rise of polymorphic viruses—viruses capable of altering their patterns.

One other observation enterprises may find salient is that the last six months saw a reduction in the “window of exposure,” the period which marks the time between the announcement of a new vulnerability and the time the vendor issues a patch. That window has shortened to 28 days, down from 50 days during the last reporting period. Martin warns that this is no silver lining for enterprises, as zero-day exploits are becoming more commonplace, and now hackers are attacking “on the fly.”