Five Top Cybersecurity Risks
1. Client-side software remains unpatched in general According to the report, major organizations on average take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. However, malicious attacks most often exploit client-side vulnerabilities in commonly used programs, including Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office, through targeted e-mail attacks, referred to as spear phishing. The highest priority risk is therefore getting less attention than the lower priority risk.
2. Watch Out For Windows The report stated that attacks on Microsoft Windows were largely carried out by Conficker/Downadup worm variants. For the past six months, more than 90 percent of the attacks recorded for Microsoft targeted the buffer overflow vulnerability, which was described in Microsoft Security Bulletin MS08-067. In addition, Sasser and Blaster continue to infect many networks but to a far lesser degree.
3. Patch QuickTime Security Holes QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software; the application runs on both Apple's Mac and Windows operating systems. The report recommended the following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003 and CVE-2009-0957.
4. Internet-facing Web sites are vulnerable More than 60 percent of the total attack attempts on the Internet are against Web apps. Vulnerabilities of those applications successfully convert trusted Web sites into ones that serve malicious content containing client-side exploits. According to the report, Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open-source as well as custom-built applications account for more than 80 percent of the vulnerabilities. The report recommends that Web sites scan effectively for the common flaws to avoid becoming tools used by criminals to infect visitors' computers. Another popular avenue for exploiting and compromising Web servers is brute force password guessing attacks.
5. Rising number of zero-day vulnerabilities There has been an uptick in zero-day vulnerabilities, some of which have remained unpatched for as long as two years. In addition, the number of highly skilled vulnerability researchers working for government and software vendors is not great enough to fulfill demand, so defenders are at a significant disadvantage in protecting their systems against zero-day attacks.