[ISN] Cyber attacks shift to network devices, apps

[InfoSec News]

http://www.networkworld.com/news/2005/112205-cyber-attackers.html

By Robert McMillan and Cara Garretson
IDG News Service
11/22/05

After years of writing viruses and worms for operating systems and
software running on Internet servers, hackers found some new areas to
target in 2005, according to a report on security trends published
Tuesday.
 
Over the past year, attackers have switched their focus to network
devices and applications, specifically back-up software and even the
security software designed to protect computers, according to the 2005
SANS Top 20 list of the most critical Internet security
vulnerabilities, says Alan Paller, director of research with the SANS
Institute, a training organization for computer security
professionals.

"There has been a 90-degree turn in the way attackers are coming after
you," Paller says. Most organizations have adopted means to
automatically patch vulnerabilities in operating systems, he says, but
not in applications. "Those applications don't have automated
patching, so we're back to the Stone Age.”"

And by exploiting flaws in networking gear, hackers are finding their
way onto corporate networks.

"Other, more sophisticated attackers, looking for new targets, found
they could use vulnerabilities in network devices to set up listening
posts where they could collect critical information that would get
them into the sites they wanted," he added.

This new focus on client applications and networking products has
happened because so many server-side and operating system bugs have
been fixed, says Gerhard Eschelbeck, CTO and vice president of
engineering with Qualys, and a contributor to this year's list. "A lot
of the low-hanging fruit has been identified now," he says. "We really
reached a tipping point earlier this year, where people started to
look aggressively at client-side applications."

Security researchers also started looking at vulnerabilities in
networking products, thanks in part to a controversial presentation by
security researcher Michael Lynn at this year's Black Hat 2005
conference in Las Vegas. Cisco sued Lynn after he discussed security
problems in the Internetwork Operating System (IOS) software that is
used by Cisco's routers.

This is the first year that networking products have appeared on the
SANS list, with Cisco vulnerabilities taking three of the 20 slots.  
The list also includes nine common application vulnerabilities, two
Unix problems and six Windows issues, all of which "deserve immediate
attention from security professionals," according to SANS.

One way to prevent such security flaws is to demand that vendors
deliver hardened products to begin with, Paller says. For example, the
The U.S. Air Force gave Microsoft a large sum of money to develop a
secure version of Windows that is now running at two sites.

"The Air Force decided it couldn't afford to keep buying broken
software from Microsoft," he says. "We think that action is the herald
of what will one day... turn the tide, with the government leading by
example. It doesn't take much of that to turn vendors into security
vendors."

The SANS Top 20 list, published annually since 2000 (see last year's
list [1]), is compiled by representatives from a variety of computer
security organizations, including the U.S. Computer Emergency Response
Team, the British Government's National Infrastructure Security
Co-Ordination Centre and the SANS Internet Storm Center. The list is
designed to give security professionals a quick sense of the
industry's consensus on which commonly targeted security
vulnerabilities require their most immediate attention. It has
traditionally focused on Windows and Unix vulnerabilities, as well as
problems with some server-side applications.

Robert McMillan is a correspondent with the IDG News Service.

[1] http://www.networkworld.com/news/2004/101804sans.html