by Ellen Messmer
Corporations appear to be much slower in patching their applications than their operating systems -- even though attackers are mainly targeting vulnerabilities in applications, according to a new report.
"Now we know which vulnerabilities are being patched and which are not," says Alan Paller, director of research at the SANS Institute.
The report, "The Top Cyber Security Risks," is based on data collected between March and August and was a collaborative effort by SANS, TippingPoint and Qualys. The group analyzed six months of data related to online attacks, collected from 6,000 organizations using the TippingPoint intrusion-prevention system, along with data related to more than 100 million vulnerability scans performed on behalf of 9,000 customers of the Qualys vulnerability assessment service.
The report shows that 80% of Microsoft operating system vulnerabilities are being patched within 60 days, but only 40% of applications, including Office and Adobe. Meanwhile, the majority of online attacks are aimed at applications, particularly client-side applications, making this the No. 1 priority named in the report.
During the six-month timeframe, more than 60% of all attack attempts monitored by TippingPoint were against Web applications in order to convert trusted Web sites into malicious sites serving up malware and attack code to vulnerable client-side applications. The main attack methods used against Web sites were SQL injection and cross-site scripting. ....
Wednesday, September 16, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment