CyberSecurity Institute

According to security firm NTA Monitor, UK businesses are drowning under a rising tide of medium and low-level security vulnerabilities as they fight to deal with high-risk security flaws.

The company’s research – based on analysis of almost 500 network perimeter security tests of clients in both the public and private sector – found that a third of corporate networks have at least 10 flaws, opening themselves to “considerable risk of malicious attack”.

High-risk flaws were discovered in only 3.9 per cent of tests, while medium flaws were found in 74.3 per cent of tests and a low-risk vulnerability of some kind was found in every test carried out.

Security issues relating to the configuration of internet routers were found to account for the most frequently identified vulnerability.

Poorly configured routers can allow an attacker to let themselves into a network and can also be used as a stepping stone to attack other systems, NTA Monitor warned.

The most common problem the security firm found threatening its customers was denial of service (DoS) attacks.

Low-level flaws were identified in all networks in both 2003 and 2004, while medium-level flaws climbed from 73 per cent in 2003 to 74.3 per cent in 2004.

http://www.vnunet.com/News/1155120

Microsoft announced an unprecedented eight patches to fix 21 vulnerabilities on “Patch Tuesday” last month, one of which Sasser’s creators exploited within three weeks.

Given the Sasser worm variants have hit 500,000 to 1 million unpatched machines to date, according to industry estimates, concern abounds that the window is rapidly closing between the time it takes vendors to identify holes and for attackers to take advantage of them.

Each new assault taking the world closer to zero-day exploits, when hackers will have the means to strike the day a new gap is announced.

Mark Nicollet, analyst for Connecticut-based research and advisory firm Gartner Inc., said the challenge is for organizations to put systems in place to end the recurring nightmare where administrators scramble to update their security software ahead of the next worm or virus, only to discover later that the patches they installed conflict with other software, causing computers to slow down or crash. We need to reach the point where blocking technology is effective enough to let us patch in a less disruptive, risky way, even without zero-day exploits.”

Eric Schultze, chief security architect for Shavlik Technologies of Roseville, Minn., said when it comes to the prospect of zero-day attacks, his biggest concern is that software experts are putting too much information in the public domain and unintentionally helping the hackers. He said researchers think they’re helping the IT community by putting detailed reports outlining the latest security flaws on the Internet for all to see. Schultze said the best approach is for researchers to “find the bug, alert the vendor and keep the rest out of the public domain.”

As the industry waits for Microsoft’s announcement and the next malicious code, some express skepticism that the zero-day attack will ever happen.

“I don’t think it’ll reach the point where hackers have a zero-time turnaround,” said Dennis Racca, president of network security provider Umbra Networks in Andover, Mass.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci963170,00.html