Spear phishing now greatest threat to companies

Targeted email attacks that exploit vulnerabilities in commonly used client-side applications are now the number-one means of infecting computers.

This was one of the key findings of the Top Cyber Security Risks report produced by the Sans Institute and security software vendors Qualys and TippingPoint, after analysing data from appliances and applications in thousands of targeted organisations.

The study indicated that so-called 'spear phishing' enables attackers to infect common but often unpatched programs on users' machines such as Microsoft's Office and Adobe's PDF Reader, QuickTime and Adobe Flash.

The infected PCs then propagate the infection and compromise other unpatched computers and servers on corporate networks, enabling malicious individuals to steal data and install back doors through which they can subsequently return.

Despite these high risks, the report said that large organisations take on average twice as long to patch vulnerabilities in client-side packages as they do those found in operating systems. This means that most enterprises are focusing too much of their attention on relatively low risk areas rather than on those of the highest priority.

Other than Conficker/Downadup, no major new operating system worms were seen in the wild over the past six months, the study pointed out. But the number of attacks against the buffer overflow vulnerabilities in Windows, which were described in the vendor's Security Bulletin MS08-067, tripled from May-June to July-August, accounting for a huge 90 per cent of all recorded attacks in this area.

A second priority for web site owners, according to the report, is to scan effectively for common flaws in web applications in order to avoid becoming an unwitting means of infecting visitors.

Some 60 per cent of all online attacks now take the form of assaults on web applications, with the aim of turning trusted web sites into malicious ones that serve content containing client-side exploits. More than 80 per cent of problems in this context occur as a result of SQL injections, cross-site scripting flaws in open source software and mistakes made in custom-build applications.

"For organisations, understanding these attacks and how they exploit vulnerabilities inherent in the network is a critical first step in building an effective security strategy," said Rohit Dhamankar, director of TippingPoint's DVLabs security research team.

As a result, the report has also laid out Twenty Critical Controls for Effective Cyber Defense based on best practice advice from security researchers. The controls are mapped to the specific vulnerabilities discussed.

Over the past three years, however, there has been a significant increase in the number of people discovering zero-day vulnerabilities, the study indicated. This increase means that some vulnerabilities have remained unpatched for as long as two years, not least because there is a shortage of skilled researchers available to work for government agencies and software vendors.

But a large drop in the number of 'PHP File Include' attacks would appear to reflect improvements in the processes used by application developers, system administrators and other security professionals, the report added.