Recently, the 2010 Top Cyber Security Risks Report was released as an analysis of attack data compiled from a number of web resources. HP’s TippingPoint Labs, Internet security and risk firm Qualys, and the SANS Institute. This report has quite an array of data, and in the course of reviewing this material; there were a number of interesting pieces that can be used for infrastructure administrators. Not necessarily as a way to address a specific issue, but instead, I see this data as a guide for future decisions to know what risks may be in place.
One of the most interesting elements of this report is the half-life vulnerability graphs. The two half-life graphs show the number of days needed to reduce the count of vulnerabilities to 50%. Figure A below shows the Windows operating system vulnerabilities half-life and the Adobe Acrobat Reader half-life:
Click image to enlarge.
This should tell us that it is clear that Adobe patches are not to be taken lightly. As an administrator as well as a user, managing Adobe Updates seems cumbersome if not annoying at times. In the report, it also explains how a real-world .PDF file attack can be used to create a stack-based buffer overflow. Keeping Windows up-to-date is somewhat mechanized and made easy through a number of available tools, but installed applications such as Acrobat Reader can be more complicated. In my professional practice, I don’t install Acrobat Reader, a Java engine, or other software on Windows Server systems unless explicitly required for a server application to reduce the patching footprint.
Another interesting section of the report is the tracking of known, unpatched vulnerabilities for products. There are graphs for Adobe Flash, the Safari browser, Mozilla Firefox, and Microsoft Windows. It may seem somewhat of a surprise, but even the alternative browser is subject to these risks. While Microsoft Windows has the most of this category, the difference is not as much as you would imagine. Figure B below shows a few categories of known, unpatched vulnerabilities for popular products:
Click image to enlarge.
For system administrators, I see this report as quite interesting. It is a clear indication that simply selecting a platform doesn’t preclude vulnerabilities. For the typical administrator, a review of this document would be a good read and hopefully not produce a large punchlist of action items.
What strikes you as interesting about the report? How about any of the geographic behavior patterns? Do you filter Internet behavior to or from selected countries as a pre-emptive security practice? Share your comments below.