Is your company focusing on the right security threats?
A study released this week from the SANS Institute revealed that many organizations worldwide are not concentrating on the IT security threats that pose the greatest risks. Instead, they are diverting their attention to threats of less importance. When information compromise has the potential to devastate an organization, a problem like this one should be swiftly remedied. Is your company focusing on the right threats?
The study uses data from thousands of organizations during March to August 2009 and shows that the majority of these companies are focusing their patching and scanning efforts on operating systems when, in fact, more threats are web-based. According to the study, “On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities.”
“Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits,” the study says. The study then provides a detailed example of an HTTP client-side exploitation, explaining step-by-step how a hacker infiltrates an organization’s intranet via a trusted third-party site (Facebook, YouTube, Flickr, etc.) and proceeds to compromise critical company data.
The study also reports that more than 80 percent of web application vulnerabilities being discovered are SQL injection and Cross-Site Scripting flaws in open-source and custom-built applications. Furthermore, it says that “most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.” In an age where Internet commerce can make or break a business, that last statement should stir organizations to begin focusing their efforts on the right place — the Web.
With information security a priority for customers and employees alike, don’t trust your network security with anyone but IT professionals. Talk with security experts today to ensure your time and resources are going where they’re most needed.
[photo: Matt Glaman]
Tags: Computer network security, computer security, Cross-site scripting, small business it security