Cyber-criminals are still looking for networks to infiltrate and information to take, but according to new research, Web applications are increasingly being targeted.
That is one prominent finding contained in research produced recently by HP TippingPoint DVLabs, the SANS Institute and Qualys Research Labs on threats that occurred across the Internet from January to June 2010.
The 2010 Top Cyber Security Risks Report, focused on four areas. One is that Web applications are prolonged and persistent targets in enterprises, not only because they can be corrupted, but also because people are downloading corrupted Web apps at extremely high rates while at work. And if the applications are legitimate, users aren’t necessarily updating them or taking note of vulnerabilities that can be exploited.
“The top problem is third-party applications on the desktop not getting updated,” said Wolfgang Kandek, chief technical officer and vice president of engineering at Qualys.
Another area is consumerization of enterprise computing — the ways in which employees use social networking applications or iTunes — and how they open the door to new security risks.
Companies could eliminate this problem by banning all such technologies at work, but Kandek doesn’t see that happening. Twitter, Facebook and similar tools provide popular marketing and branding opportunities that modern companies simply can’t do without.
“I don’t think it’s a viable way of doing things. We have a couple of customers that try to do this, and I believe you will be noncompetitive in a work environment if you are going down that route,” he said. “It’s going against what the general tendency is when you want to incentivize your employees to look around, to be embedded in that social space — see how the company is talked about.”
The two other areas of the research’s focus are the increased organization and sophistication of cyber-criminals and the continued danger from existing threats.
Web application attacks appear to outpace all other types of attack vectors. The first half of the year saw 4,091 Web application vulnerabilities during January to June, as reported to the Open Source Vulnerability Database. There were roughly 5,000 reported in the same period in 2005, so it appears that Web application vulnerabilities could be on the decline. But Kandek said he wouldn’t be surprised if this year’s vulnerability report numbers skyrocket to more than 8,000 before the end of 2010.
“It’s now on the applications. We’ve done a good job in securing the basic operating system that has become more secure and mobile almost all of the time, and it’s doing OK. We’ve seen the number of vulnerabilities in operating systems go down and attacks also go down, but they’ve moved into the application, so the next focus has to be on the application,” Kandek said.