Networking giant Cisco today revealed its take on the current state of IT security. The major trends? Vulnerabilities are on the rise, with blended and virtualization attacks becoming increasingly the norm.
According to Cisco, as of the end of October 2008, over 5971 IT vulnerabilities had been tallied, which is a year over year increase of 11.5 percent over the 5353 vulnerabilities for 2007. Cisco also reported a year over year increase of 90 percent in the volume of attacks that come from legitimate domains.
“Even though we were aware of the severity of the threats on the Web and in particular the attacks on legitimate Web sites, the ferocity and volume of those attacks in 2008 was very much of a shock,” Patrick Peterson, Cisco Fellow and chief security researcher, told InternetNews.com. “It really defied all of our worst case scenarios.”
Cisco’s report claims that exploited Web sites in 2008 were responsible for 87 percent of all Web-based threats. Overall Cisco reported that Buffer overflow, Denial of Service (DoS) and Cross Site Scripting (XSS) attacks led the total vulnerability count.
Peterson clarified that volume of reported vulnerabilities is not the same as volume of attacks. Peterson noted that attacks on Web sites in 2008 were primarily by way of SQL injection
Peterson also pointed the finger at Web browser add-ons, which he argued were easy to exploit in 2008. If attackers want to take advantage of an add-on vulnerability, all they have to do is get the browser to visit a Web page with a malicious code Flash object on it. He added that the problem with add-on vulnerability often stems from the fact that users aren’t always running the most up to date versions of the software.
“Add-on patching and updates don’t seem to have the same kind of rigor or delivery vehicle as more standard apps,” Peterson said. “I just installed Windows Update, but when it comes to something like Flash, the way it gets updated, it doesn’t seem to have the same kind of rigor. It leads people to have an OS {operating system} that is patched but some kind of browser plugin that is not patched and they don’t even know how to get the patch.”
Eric Lawrence, security program manager for Microsoft’s Internet Explorer team, has made a similar argument: that browser add-on security is an issue that exists with the add-on vendors.
Lawrence made his add-on comment during a discussion this year on clickjacking, which is a new attack vector that was not included in Cisco’s report. Peterson explained that details on clickjacking emerged after Cisco began to put together its report.
In a clickjacking attack an attacker hides an object underneath a legitimate object or button, such that a user is completely unaware of what they might be clicking. Peterson commented that he doesn’t believe that clickjacking is currently a widespread attack but that it is a very clever and scary attack vector.
Perhaps more surprising, DNS
Peterson noted that when the flaw was first revealed in July he anticipated massive DNS hacking activities. That didn’t happen. Instead, from Peterson’s point of view, the aggressive patching effort that culminated in Kaminsky’s full disclosure in August likely averted any widespread DNS hacking activity.
In fact, Peterson sees the Kaminsky attack as a new type of positive trends for the IT security community.
“If you look at clickjacking and the Kaminsky attack, those are two great examples of what the security community would not have done 12 months ago,” Peterson commented. “Those issues were patched before they were publicly disclosed and that’s a little bit of a silver lining we can see in doing our battle with the criminals.”
Another silver lining in 2008 came in the fight against spam with the shutdown of the McColo ISP in November.
“With the McColo shutdown, we did see a dramatic reduction in spam, with volumes down by 66 percent,” Peterson said. “This is the first substantive change we’ve seen in the annual doubling of spam since 2004. It does offer some hope, in that by focusing on the command and control nodes as a way to take out botnets and that’s something I can see get spam get pushed back down.”