Tài liệu 2010 Full Year Top Cyber Security Risks Report doc

LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu 2010 Full Year Top Cyber Security Risks Report doc": http://123doc.vn/document/1036189-tai-lieu-2010-full-year-top-cyber-security-risks-report-doc.htm

5
Looking more deeply into the types of vulnerabilities,
the above graph (Figure 2), again from OSVDB, shows
trend data about the more prevalent types, such as
Cross-Site Scripting and SQL Injection. The period from
2006 to the present time seems to define the modern
era of the vulnerability landscape, with an equal share
originated in Web applications as are originated
in traditional targets such as operating systems and
legacy services like SMB. The data also indicates
lifecycles with peaks, valleys, ebbs, and flows in the
number of disclosed vulnerabilities. For example,
PHP file-include vulnerabilities peaked in 2006, SQL
Injection peaked in 2008, and Cross-Site Reference
Forgery (CSRF) is ebbing slowly higher in recent years.
Vulnerability Trends -
Web Applications
Web applications have continued to dominate the
threat landscape in 2010, sustaining a steadily
increasing trend over the last few years. The
staggering number of Web application vulnerabilities
combined with more effective exploitation methods
(see section on Web exploit toolkits) demonstrates
why attackers continue to target these systems.
As shown in the following chart (Figure 3), Web
application vulnerabilities comprise nearly half of all
vulnerabilities.
Delving into the various Web application
vulnerabilities reveals that Cross-Site Scripting (XSS)
still comprises the most significant number of disclosed
vulnerabilities, followed by SQL injection, and then
Denial of Service (DoS). This is demonstrated in the
chart in Figure 4. SQL Injection remains a popular
option for database theft and drive-by SQL Injection
by botnets. The ASPROX botnet overwrites portions of
a compromised website’s database to insert IFRAMES,
which redirects website visitors to a malicious URL that
infects the visitor’s computer with malware, thereby
adding it to the legions of zombie computers that
make up the botnet.
3K
2.4K
1.8K
1.2K
600
0
Total Vulnerabilities
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Cross Site Scripting Cross Site Request Forgery SQL Injection Buffer Overflow Remote File Include Denial of Service
Figure 2:
Vulnerability Type by Year
Figure 3:
Web App Vuln Disclosure v All Vuln Disclosure, OSVDB 2010
Web App
Other
6
Up until now this report focused on vulnerability
disclosure, which may or may not reflect the complete
picture of vulnerability trends unfolding on the Internet.
In an effort to get a clearer picture of the real world
vulnerability landscape, the HP Application Security
Center (ASC) has compiled results from over 100
security assessments performed against a variety of
customer Web applications. The ASC team took a
high-level snapshot approach, testing the applications
for a cross-section of common vulnerabilities.
Of the surveyed applications, an amazingly high 71%
suffered from a command execution, SQL Injection,
or Cross-Site Scripting vulnerability. It is important to
note that any application that suffers from one of these
types of vulnerabilities would fail a PCI compliance
audit. Another 49% of the applications had at least
one critical command execution or SQL injection
vulnerability either one of which could allow a
knowledgeable and determined attacker to completely
compromise the system. Though small in comparison
yet still disconcerting, 22% of the security-assessed
applications were vulnerable to both SQL Injection and
Cross-Site Scripting attacks.
The assessment determined that Cross-Site Scripting
existed in not only the highest percentage of
applications, but also in the greatest quantity across
all assessed systems. A minor positive note is that
eleven of the application assessment scans returned
no vulnerabilities in these categories.
The following chart (Figure 5) displays the overall
statistics, broken down by percentage. Each
percentage reflects how many sample applications
were susceptible to the vulnerability labeled on the
horizontal axis.
Under the right circumstances, those could possibly
lead to a complete system compromise. Twenty-two
percent of applications were vulnerable to both SQL
Injection and Cross-Site Scripting.
Here’s how the overall statistics break down by
percentage. Each percentage reflects how many of our
sample applications were susceptible to that specific
type of vulnerability.
70%
60%
50%
40%
30%
20%
10%
0%
CROSS-SITE
SCRIPTING
COMMAND
EXECUTION
SQL INJECTION
Vulnerability Distribution
Figure 5:
Percentage of Attacks in Web Applications Sampled
Figure 4:
Web App Vuln Disclosure v All Vuln Disclosure, OSVDB 2010
Cross Site
Scripting
SQL Injection
Denial of
Service
Buffer Overflow
Other
Remote File
Include
Cross Site
Request Forgery
7
As Web 2.0 technologies such as AJAX, Flash,
and HTML 5 enable organizations to create richer,
more complex Web applications, vulnerabilities
become more prevalent and more challenging to
detect. The numbers listed above are concerning,
but not surprising. To mitigate risk responsibly,
organizations should test code in development, scan
for vulnerabilities in QA before staging, and test
applications in production on an ongoing basis.
HP DVLabs has delved further into the assessment of
Web applications by performing in-depth analysis of
Internet-hosted websites. It has investigated common
open-source applications such as Wordpress, Joomla,
and Drupal, each a type of content management
system (CMS) commonly used for hosting blogs and
online discussion groups. The investigation revealed an
interesting differentiation between the core application
and application plug-ins.
Figure 6 shows the percent of vulnerabilities reported
in core application and in application plug-ins, from
2006 through 2009. For all CMS applications,
OSVDB shows that the majority of vulnerabilities occur
in the core application. This data is slightly misleading
due to the large number of distinct CMS applications.
When HP DVLabs focused on the three most popular
applications, Wordpress matched the percentage
shown by the total CMS population, while both Joomla
and Drupal exhibited an astonishingly high percent of
vulnerabilities in plug-ins.
100%
80%
60%
40%
20%
0
ALL CMS WORDPRESS JOOMLA DRUPAL
Core
Vulnerabilities
Plugin
Vulnerabilities
Figure 6:
CMS Vulnerabilities 2006 - 2009
8
When viewing statistics solely from the year 2010, the
results differ slightly (Figure 7). While the ratio for the
entire CMS population remains similar to the multi-
year trend, the ratio for the popular CMS applications
skews even more heavily towards plug-ins being the
source of vulnerabilities. A possible explanation might
be increased diligence taken by the core application
developers following a number of high-profile exploits
against their platforms, thereby reducing the number
of vulnerabilities in the core application and increasing
the percentage of them in plug-ins. Further, plug-in
developers may not place as much emphasis on
security as those developing core applications, and
may therefore be less concerned with locating and
patching vulnerabilities.
HP DVLabs built a system to track websites running
common Web applications, such as the CMS
applications. A survey of the entire IP space of the
Internet determined that there are approximately
104 million active hosts, of which at least 9.2% are
running Wordpress, Joomla, or Drupal. Many of
the installations featured one or more plug-ins to the
core application.
Of the 9.2% of active hosts, HP DVLabs took a
sampling of approximately one million hosts to
perform more detailed analysis. Analysis of this data
showed that patch rates in open source software seem
to lag behind in Asian countries and in many of the
largest global Internet Service Providers (ISPs). Low
patch rates of commercial software—such as Microsoft
products—in Asian countries have been widely
publicized and are frequently attributed to piracy of
such software. However, the investigation revealed
that this trend of low patch rates exists not just in
commercial products but in open source products as
well. The trend of low patch rates at ISPs indicates
that ISPs are typically reactive to security incidents
rather than proactive in following the guidance of
security vulnerability announcements. The reasons for
this is unknown, however because customer uptime is
so important for ISPs, they likely weigh the possibility
of application instability introduced by a new patch
against the likelihood that a vulnerability will actually
be exploited in the real world.
100%
80%
60%
40%
20%
0
ALL CMS WORDPRESS JOOMLA DRUPAL
Core
Vulnerabilities
Plugin
Vulnerabilities
Figure 7:
CMS Vulnerabilities 2010
9
In the chart above (Figure 8), HP DVLabs demonstrates
why patching is extremely critical in Web applications
and their associated plug-ins.
The prevalence of vulnerable Web applications on the
Internet is staggering. With so many potential targets
available to be exploited, it is no wonder the Internet
succumbs to massive numbers of SQL Injection and
PHP file-include attacks, and data breaches continue to
occur unabated.
Vulnerability Trends - Zero Day
Initiative
The Zero Day Initiative (ZDI), founded by HP DVLabs in
2005, is a program for rewarding security researchers
for responsibly disclosing vulnerabilities. The program
is designed such that researchers provide HP DVLabs
with exclusive information about previously unpatched
vulnerabilities they have discovered. HP DVLabs
validates the issue and works with the affected vendor
until the vulnerability is patched.
This program provides HP DVLabs with a unique
set of data about new security research as well as
information about the patch cycle for vendors. This
information is then used by HP DVLabs to create filters
that are deployed to the HP TippingPoint IPS.
The large market for client-side applications, as well as
easier access to reverse engineering tools, has spurred
significant interest in security research and vulnerability
discovery. Researchers around the world seem to be
growing in number, and many are interested in a
responsible way of helping software vendors improve
their products while still being compensated for their
time and effort. Most of the discoveries are made with
fuzzers whose sophistication has grown substantially
due to new research over the past few years.
While the number of vulnerabilities publicly disclosed
seems to have leveled out over the last five years,
the ZDI program has risen in popularity and has
purchased and disclosed many more vulnerabilities
year after year. Between 2005-2010, HP DVLabs
and the ZDI purchased and disclosed 750 previously
unknown vulnerabilities, most of which were of high
or critical nature in popular products used across both
large enterprises and the average user.
100%
80%
60%
40%
20%
0%
WORDPRESS JOOMLA DRUPAL
Vulnerable Web Applications
Vulnerable Installs
Figure 8:
Vulnerable Web Applications
10
In the table above (Figure 9), you can see the top ten
applications with vulnerabilities disclosed through the
ZDI. Eight out of the ten are related to popular client
side applications with seven of those being related in
one way or another to Web browsers.
Focusing solely on the year 2010 (Figure 10), HP
DVLabs and the ZDI either discovered or acquired,
and disclosed to affected vendors, 320 vulnerabilities
in a wide range of products. Below you can see the
top ten vulnerabilities disclosed through the ZDI in
2010, the majority of which are client-side related.
Seven of the ten are related in one way or another to
Web browsers.
70
60
50
40
30
20
10
0
Vulnerabilities
APPLE QUICKTIME
MICROSOFT INTERNET
EXPLORER
ORACLE JAVA
RUNTIME
REALNETWORKS
REALPLAYER
MOZILLA
FIREFOX
HP OPENVIEW
NOVELL eDIRECTORY
ADOBE SHOCKWAVE
PLAYER
MICROSOFT OFFICE
EXCEL
APPLE WEBKIT
Figure 9:
Top 10 Vulnerabilities Disclosed through ZDI From All Time (2005 - 2010)
35
30
25
20
15
10
5
0
Vulnerabilities
REALNETWORKS
REALPLAYER
APPLE QUICKTIME
APPLE WEBKIT
MOZILLA FIREFOX
MICROSOFT INTERNET
EXPLORER
ADOBE SHOCKWAVE
PLAYER
HP OPENVIEW
NOVELL iPRINT
NOVELL ZENWORKS
ORACLE JAVA
RUNTIME
Figure 10:
Top 10 Vulnerabilities Disclosed through ZDI in 2010
11
Attack Trends - HTTP Client versus
Server Side
Both HTTP client-side attacks and HTTP server-side
attacks saw a significant increase over the course of
the 2010 sample period. The bulk of attack types are
malicious JavaScript and PHP file-include attacks.
The chart above (Figure 11) depicts the number
of client-side attacks, by month throughout 2010.
The highest number, in December 2010, reached
approximately five million attacks.
The following chart (Figure 12) depicts the number of
server-side attacks, by month throughout 2010. They
are much more prevalent than client-side attacks, with
the highest number reaching about 23 million attacks
in July 2010, which is almost five times more than the
peak amount client-side attacks.
6M
4.8M
3.6M
2.4M
1.2M
0
Filter Hits
JAN 2010
FEB 2010
MAR 2010
APR 2010
MAY 2010
JUN 2010
JUL 2010
AUG 2010
SEP 2010
OCT 2010
DEC 2010
NOV 2010
Figure 11:
Client-Side Attacks, Based on HP TippingPoint IPS Filter Hits
30M
24M
18M
12M
6M
0
Filter Hits
JAN 2010
FEB 2010
MAR 2010
APR 2010
MAY 2010
JUN 2010
JUL 2010
AUG 2010
SEP 2010
OCT 2010
DEC 2010
NOV 2010
Figure 12:
Server-Side Attacks Based on HP TippingPoint IPS Filter Hits
12
Recall that the vulnerability discussion focused on the
increasing presence of Web application vulnerabilities,
reaching nearly 50% of overall vulnerabilities, while
traditional vulnerabilities diminished. Attack data
pulled from HP TippingPoint IPS devices correlates
with the vulnerability data from OSVDB and the ZDI.
The above chart (Figure 13) shows an almost 60%
shift from a legacy (i.e. SMB) type attack, towards an
HTTP-based attack, over the course of only 12 months.
HP DVLabs expects this trend to continue as more and
more functionality is moved onto the Web and away
from legacy services such as SMB.
• One more important point should be made about
SMB and HTTP-based attacks. Nearly 100%
of the observed attacks are automated, botnet,
or worm-based attacks. Very few appear to be
targeted against a specific machine or host. This is
a completely different attack pattern than we see
with HTTP. While the majority of HTTP traffic does
also appear to be automated, much of it appears
targeted towards specific hosts. A common HTTP
attack pattern involves an attacker focusing multiple
types of attacks to find a way into a vulnerable
website. In contrast, the vast majority of SMB attacks
are worm-based traffic. Anecdotally, the following
list depicts the wide variety of attacks used against a
host system that has fallen victim to a PHP file-include
attack, as uncovered by an HP DVLabs investigation:
• Invalid TCP Traffic: Possible nmap Scan (No Flags)
• HTTP: HTTP CONNECT TCP Tunnel to SMTP port
• HTTP: AWStats Multiple Vulnerabilities
• HTTP: Paros Proxy HTTP Request
• HTTP: PHP File Include Exploit
• HTTP: Horde Help Viewer PHP Command Injection
• HTTP: PHP File Include Exploit
• SSH: SSH Login Attempt
• HTTP: Wget Web Page Retrieval Attempt
• HTTP: PUT Method Execution over HTTP/WebDAV
In great contrast to large number of HTTP-based
attacks targeted against a victim host, the typical
profile of an SMB attack includes a single type of
attack, shown below:
• MS-RPC: Microsoft Server Service Buffer Overflow
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
JAN 14
FEB 14
MAR 14
APR 14
MAY 14
JUN 14
JUL 14
AUG 14
SEP 14
OCT 14
DEC 14
NOV 14
HTTP
Server
Figure 13:
SMB and HTTP Attacks
13
Attack Trends - Malicious JavaScript
Malicious JavaScript continues to be a popular attack
type. It is considered to be one style of attack within
the category of HTTP client-side attacks. Malicious
JavaScript attacks are often highly obfuscated,
and are specifically designed to bypass security
controls. HP DVLabs accumulates statistics, such
as those shown in the above graph (Figure 14),
through the use of vulnerability filters operating in
HP TippingPoint IPS devices. Throughout 2010, these
types of attacks averaged about 90,000 per month,
far lower than the overall HTTP client-side average of
1.8 million per month.
Attack Trends - PHP Remote File
Include
PHP Remote file-include attacks saw a steady overall
downward trend, except for a massive spike in mid-
year (Figure 15). This is the nature of such attacks.
They commonly compromise otherwise legitimate
websites, which grants the attacker a window of
opportunity to launch a widespread file-include
campaign. Reputation-based detection models are
designed to detect infected hosts and then add them
to an Internet blacklist, thereby shunning them from
interacting with the rest of the Internet. However,
because file-include campaigns exploit legitimate
websites, the reputation-based models sometimes lag
in their detection of the infected websites. It is this
window of opportunity that likely allowed the two-
month spike in June and July of 2010.
160K
128K
96K
64K
32K
0
Filter Hits
JAN 2010
FEB 2010
MAR 2010
APR 2010
MAY 2010
JUN 2010
JUL 2010
AUG 2010
SEP 2010
OCT 2010
DEC 2010
NOV 2010
Figure 14:
Malicious Javascript Attacks
3M
2.4M
1.8M
1.2M
600K
0
Filter Hits
JAN 2010
FEB 2010
MAR 2010
APR 2010
MAY 2010
JUN 2010
JUL 2010
AUG 2010
SEP 2010
OCT 2010
DEC 2010
NOV 2010
Figure 15:
14
Attack Trends - Botnets
Botnets remained a huge problem in 2010. Overall,
HP DVLabs tracks approximately ten million infected
hosts. Amazingly, Conficker is still the most prevalent
botnet, even though it was first detected in 2008. Its
presence on the Internet is more than twice as much as
the next most prevalent botnet, Mariposa.
HP DVLabs tracks activity for a number of botnets.
The accumulated data is not only used to track the
behaviors and prevalence of botnet families, but also
contributes to the HP TippingPoint Reputation Digital
Vaccine (ReputationDV) service, which evaluates
the botnets in order to designate infected hosts as
candidates for blacklisting.
The following graph (Figure 16) details the relative
percentage of unique botnet drones detected, per
botnet family.
50%
40%
30%
20%
10%
0%
CONFICKER A/B
MARIPOSA
GENERIC
ZEUS
SPAM
IRC BOT
KRACKEN
BLACKENERGY
POISONIVY
HAMWEQ
HTTP BOT
CONFICKER C
Figure 16:
Numbers of Botnet Drones Per Family
Attack Trends - Denial of Service(DoS) and
Distributed Denial of Service (DDoS)
Denial of Service (DoS) and
Distributed Denial of Service (DDoS):
Historic Review
Denial of Service (DoS) and Distributed Denial of
Service (DDoS) fall into a category of Internet-based
attacks that enjoy a rich and mature pedigree. The
Internet threat landscape has been ravished by these
attacks time and time again, and though they are
considered to be a violation of the Internet Architecture
Board’s Internet Proper Use Policy, little is done by the
Internet Engineering Task Force (IETF) to adjudicate said
bad behavior. The goal of these attacks is quite simple:
to deliver, in a concerted fashion, an attack of various
denominations that prevents websites or services from
functioning efficiently or at all. The disruption could
be temporary or, as in the case of the ill-fated Blue
Security 1, indefinite. The burden of addressing these
attacks falls squarely upon data communications
providers (traditional carriers, broadband providers,
etc.), enterprise businesses, and individuals. The
effectiveness of DDoS attacks, along with their ability
to generate news and media coverage, is unparalleled.
Recent examples have included:
Retaliatory DDoS attacks against Visa, MasterCard,
PayPal, Bank of America, 4chan, and others as a sign
of civil protest related to the WikiLeaks campaign. A
similar attack was launched against the International
Federation of Phonographic Industry (IFPI) in
retaliation for the failed appeal of The Pirate Bay. In
both cases, the hacktivist group ‘Anonymous’ used
the Low Orbit Ion Cannon (LOIC) attack to cripple the
targeted websites.