SANS: Top Security Risks

The SANS (System Administration, Networking and Security) Institute has published its Top Cyber Security Risks report, which helps major organizations ensure that their security systems are up-to-date and can respond to the latest attacks, threats and vulnerabilities. The SANS report was based on attack data from appliances and software in 6,000 organizations, collected from March 2009 to August 2009.

Priority Risks

The SANS report identifies two priority risks, which it argues, are commonly ignored by organizations.

The two priorities are:

  1. Client-side software that remain unpatched

According to the report, there are waves of spear-phishing attacks that exploit client-side vulnerabilities in some of the most commonly used programs (e.g. QuickTime, Adobe Flash, Adobe PDF Reader and Microsoft Office). These vulnerabilities are also used by attackers when users visit websites that are infected. The attackers’ objective is to steal data from the organizations and install back doors for further exploitation. According to SANS, large organizations are taking twice as long to patch client-side vulnerabilities as they are to patch operating system vulnerabilities, which are considered lower priority risks.

2. Internet-facing websites that are vulnerable

The study found that over 60% of total attack attempts were planned against web applications. Attackers are exploiting such vulnerabilities in order to convert trusted websites into malicious ones. Examples of web application vulnerabilities include SQL injection and cross-site scripting flaws. These two vulnerabilities alone account for 80% of discovered vulnerabilities. The majority of website owners do not effectively identify these common flaws, enabling criminals to infect site visitors.

Identified Trends

The SANS report identified a number of current trends, which are introduced below:

- Fewer internet worm attacks – According to the report, the number of remotely-exploitable vulnerabilities detected in operating systems seems to be decreasing. Other than Conficker/Downadup, researchers did not detect new major operating system worms during the reporting period.

- Increasing zero-day vulnerabilities – There has been a notable increase of zero-day vulnerabilities worldwide. A number of independent teams have discovered the same vulnerabilities at different times. Some vulnerabilities have even been left unpatched for up to two years. The study attributes this troubling increase to the shortage of skilled vulnerability researchers working in government and for software vendors.

- Application vulnerabilities outpacing operating system vulnerabilities – In recent years, more application vulnerabilities are being discovered than operating system vulnerabilities. The reason for this shift is due to factors including prevalence of exploitation and inability to create effective patches. According to the study, there are the least number of vulnerabilities at the network level, and the most at the application level.

- Two types of web server attacks – The SANS study found that there were two main avenues for exploiting and compromising web servers: web application attacks and brute force password guessing attacks. Popular targets for brute force attacks are: Microsoft SQL, FTP and SSH servers. Website compromise was perpetrated through: SQL injection, cross-site scripting and PHP file include attacks.

Best Practices for Mitigation & Control

Based on an analysis of the current cyber-attacks, SANS has put together a list of controls that should be implemented, in order to help defend against the attacks. The attacks along with their associated controls are outlined below:

- Attack: Remote exploitation of vulnerabilities in user applications

  • Control 2 – inventory of software
  • Control 3 – secure configurations
  • Control 5 – boundary defenses (moderate impact)
  • Control 10 – vulnerability assessment and remediation

- Attack: Increasing zero-day attacks in user applications

  • Control 2 – inventory of software (minimal impact)
  • Control 3 – secure configurations (minimal impact)
  • Control 5 – boundary defenses (moderate impact)
  • Control 10 – vulnerability assessment and remediation (minimal impact)
  • Control 12 – malware defenses (most effective)

- Attack: Back door access on the network as the compromised user/host

  • Control 5 – boundary defenses
  • Control 8 – controlled use of administrative privileges
  • Control 9 – controlled access

- Attack: Attacker poses to be legitimate user, to perform malicious actions

  • Control 6 – audit logs
  • Control 11 – account monitoring and control
  • Control 18 – incident response capability

What is SANS?

The SANS Institute provides computer security training and develops information security research documents. The Institute is also responsible for the Internet Storm Center, which functions as an early warning system. The Internet Storm Center is a virtual organization made up of volunteers who detect internet security problems, analyze threats and distribute technical and procedural information about these threats to the public.


This article looks at the SANS Institute’s “Top Cyber Security Risks” report, which was released in September 2009. The report identifies some of the major risks and vulnerabilities that are commonly ignored by organizations. The top two “priority” risks are: 1) Unpatched client-side software and 2) Vulnerable internet-facing websites. The report goes on to identify some vulnerability trends and lists best practices for mitigation and control of security risks.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

– Changing Privacy Regulations (V.D.i.)

– Online Privacy (V.D.i.1.)


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>