A steady focus on computer industry trends reveals two main areas of tremendous growth for the future: web applications and virtualization—which of course means that as a security administrator, you'll need to place more emphasis on those areas in your own environment.
Even if you employ those technologies only sparingly, you'll still need to place a strong focus on related security because researchers and intruders see these trends and are working to find chinks in the armor. To give you an idea of what the threat landscape looks like right now, consider a recently published report by IBM Internet Security Systems (ISS).
According to the report, in 2000 web application vulnerabilities were virtually nonexistent—and so were snazzy high-tech websites. But that's all changed. Here we are 8 years later with a plethora of powerful web applications all over the Internet, and vulnerabilities in web applications now account for roughly 51 percent of all vulnerabilities discovered. That's quite a change from days gone by, when the majority of vulnerabilities were found in OSs, especially Windows.
Even the web vulnerability landscape is changing. In the past, cross-site scripting was one of the biggest problems with web applications. But since last year, SQL injection attacks have steadily become the biggest problem and that trend is still increasing in terms of attacks. For example, according to ISS, in June alone there were tens of thousands of SQL injection attacks that originated from several thousand different sources.
Looking at the world of virtual computing reveals similar trends. Over the past 3 years the amount of research focused on weaknesses in virtualization technology has increased, and likewise the number of vulnerabilities discovered has also increased—by about 500 percent!
Complicating matters is the fact that in many instances exploit code becomes available before patches for vulnerabilities are available or within a day or two after vulnerabilities become publicly known. This results in little if any rest for battle-weary security administrators.
Take the recent DNS vulnerability, which was patched by the majority of DNS software vendors earlier this month (except for a few, such as Apple, who dragged their feet and left customers exposed to attack). Within a day of the release of patches, exploit code was already available to poison DNS caches. Days later a module became available for Metasploit, which as you know makes attacking a system incredibly simple. As a result, many businesses and Internet users fell victim to attack because various DNS server operators didn't patch their systems quickly enough. Even BreakingPoint Systems, where Metasploit creator HD Moore works, fell victim because they used an AT&T DNS server as DNS forwarders and AT&T didn't patch their systems quickly enough.
The 80-page report from ISS is full of excellent information that reveals many other facts, figures, and trends—all of which you need to know. You can download a copy in PDF format at the URL below:
Since I brought up this new report it's probably a perfect time to mention something about these reports in general that I've been thinking about lately: Many security vendors have taken to publishing regular reports that offer a lot of very important information, and those reports are typically based on data vendors are able to collect from their security solutions, whether inhouse or placed in customer sites. It would be extremely useful to all security-minded people if vendors would get together and pool their security statistic information into one big consolidated report. However, no such report is currently being produced. Quarterly and annual reports of that nature would be invaluable, and I'd bet that such a report would be read by a far wider audience than single reports issued by each company. What do you think? Send your feedback to me at mje\[at\]windowsitpro\[dot\]com.