SC Magazine has reminded me today of a new report on the top current security risks, jointly published by SANS, TippingPoint, who provided the attack data, and Qualys, who provided vulnerability data. With impressive modesty and finely-tuned understatement, Alan Paller of SANS describes it as the "best risk report ever".
Well, with added analysis and educational material from the Internet Storm Center and various SANS Faculty members, it has to be worth a close look. And, in fact, it makes several points worth noting:
- According to the report, major organizations are prioritising the take-up of patches for operating system vulnerabilities and taking twice as long to patch client-side vulnerabilities. I can see why system administrators might find it easier to focus on OS patches, and I'm not sure that vulnerabilities in client applications should be considered a higher priority, but they should certainly be considered as an equal priority, at least: I've pointed out here before that vendors are apt to underestimate the importance of spear phishing, and it's depressing to read that end sites seem to be making the same mistake.
- It may not come as a surprise to you that "Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet." But if it comes as a surprise to major organizations, as the data seem to indicate, that's certainly a major problem at consumer level.
If you're a sysadmin and these items do come as a surprise to you, I'd suggest you hotsurf it over to the report straightaway. If not, you're still likely to find it interesting and useful.
David Harley
Director of Malware Intelligence
