Also read and respond to: THE LANDMINE OF P2P FILE-SHARING
Threats posed by zero-day vulnerabilities were ranked by global IT decision makers as their topmost security concern, according to a recent survey by security firm PatchLink.
Fifty-three per cent of respondents put zero day vulnerabilities as the No. 1 security concern, followed by hackers, cited by 35 per cent, and malware and spyware with 34 per cent. PatchLink surveyed 250 of its customers worldwide in June 2007, including CIOs, CSOs, IT directors and managers.
“The prospect of zero-day attacks is extremely troubling for organizations,” said Charles Kolodgy, research director for security products at IDC in Framingham, Mass. “Today’s financially motivated attackers are creating customized, sophisticated malware designed to exploit unpublished application vulnerabilities in specific applications before they can be fixed.”
Many IT departments are spread thin and lack the resources to proactively defend against zero-day threats, and attackers are using this to their advantage, said Kolodgy.
Hackers are also counting on the human element part of the security equation to help them accomplish their attacks, Kolodgy added.
“User behaviour is difficult to control, and many hackers rely on users’ lapses in judgment to carry out their malicious activity,” the IDC analyst said.
Controlling user behaviour was cited by 32 per cent of IT executives as the primary challenge to vulnerability management.
PatchLink also asked IT executives to rank the application that they are most concerned about protecting, and Internet Explorer landed on top cited by 83 per cent of the respondents.
Various Internet security threat reports earlier indicated an increasing trend in attacks targeted towards Web browsers and Web applications, serving as an avenue to gain access to corporate networks.
“Those vulnerabilities are often used in ‘gateway’ attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious attacks can be launched,” according to Symantec’s latest Internet Security Threat Report.
If successful, vulnerabilities in Web browsers and Web applications can enable an attacker to install malware and subsequently gain control of a compromised system.
Although 72 per cent of respondents to the PatchLink survey indicated that they are now more secure than a year ago, IT executives remain wary of other risks that are in the realm of the unknown, according to Matthew Mosher, senior vice-president for Americas at PatchLink in Scottsdale, Ariz.
“(IT managers) are now starting to look at more of these zero-day vulnerabilities because they don’t necessarily think that they have a handle on that,” explained Mosher.
The PatchLink executive added that the financial motivation driving hackers today has made IT executives more concerned about zero-day exploits.
Brian Bourne, president of Toronto-based IT security consultancy CMS Consulting Inc., was surprised that zero-day vulnerabilities would concern many IT executives, as such exploits are typically used for targeted attacks.
Such concern may be out of lack of a complete understanding on how to protect against these threats, he noted.
Bourne recommends a defence-in-depth strategy is still “the right strategy” for protecting against zero-day exploits.
He urged IT managers to subscribe to a vulnerability advisory list, so that they can get all updates on most recent zero-day discoveries.
“Get the information right away to find out if it impacts you,” said Bourne, adding that the first step is finding out whether your company even runs that vulnerable software.
A good asset management system, which gives IT a clear indication of what software and hardware are running across the enterprise, will enable administrators to make a determination of whether they are vulnerable to a zero-day attack, Bourne added.
Once it’s determined that there is a risk, IT administrators can then make an effort to learn everything they can about the vulnerability, he said.
Also read and respond to: THE LANDMINE OF P2P FILE-SHARING