SANS
Institute warning
Enterprises are looking at the wrong sort of security
threats and are leaving their organizations wide open to Web and client-side
attacks, according to a new insecurity report. The SANS Institute said that most organizations are
focusing their patching efforts and vulnerability scanning on the operating
system.
However it points out that 60 percent of the total number
of attacks occur on Web applications, and many attacks are aimed at third-party
applications, such as Microsoft Office and Adobe Flash, according to actual
attack data gathered for the report. To make matters worse enterprises are taking twice as
long to patch their applications than to patch their OSes, the report says.
The SANS report is a compilation of data and analysis
from multiple sources, including SANS Internet Storm Center. It includes attack
data from 6,000 organisations running TippingPoint IPS systems, and
vulnerability data from 9 million systems. Corporates seem to ignore SQL injection and cross-site
scripting (XSS).
Enterprises are patching OS vulnerabilities twice as
quickly as they are patching vulnerabilities in Office and other applications,
according to the report. SANS says that organisations need to reprioritise their
patching and scanning efforts.