Study found that schools have most vulnerable web servers
Source: NeowinA study done by Whitehat Security found that educational institutions were the most likely to be vulnerable while banks and healthcare institutions were the least vulnerable.
According to NetworkWorld, the study is based off of data from 400 organizations that use the company as their web vulnerability management firm. They found that 71% of schools tested had vulnerabilities on their web servers all the time, in contrast to only 16% of banks had servers that remained unpatched. Whitehat said,
"While no industry approached anywhere near zero for an annual average, banking, health care and manufacturing performed the best out of all the industries with 30, 33 and 35 serious vulnerabilities respectively per Web site during 2010 for a rough average of 2.5 or so vulnerabilities per month, on the opposite end of the spectrum, Retail, Financial Services and Telecommunications, whose Web sites had the most reported issues, measured 404, 266 and 215 serious vulnerabilities per site -- or between 18 and 34 per month."
Being vulnerable can lead to a lot of different attacks, but the most common were information leakage and content spoofing. Both of these would allows an attacker to steal user information thinking they are giving to a trusted source rather than to the creator of the spoofed content.
The good news from this study is that you can count on your bank to do its best to make sure your financial information is secure, they have the fastest patch time of all industries. Within 13 days of a vulnerability cropping up, the server is patched. The complete opposite can be said that for the telecommunications industry, they take an average 205 days to patch a vulnerability. The average for all businesses to get around to patching their vulnerabilities is 116 days.
Hmm. Which country was this report based on though. Many UK schools have their websites hosted for them, and in the case of some LEAs patching of servers (OS/web OS) and the underlying site software itself can be sporadic at best. The system seems to be 'All the web sites are working, let's not do anything to upset that now'. With IT support now covering many areas (long gone ae they days when you can know lots about everything you come into contact with) and a lack of dedicated (and trained) web support staff within schools would end up producing results like this. IMHO, it comes down to training, if schools are not willing to train their IT staff with teh same kind of training opportunities available to teaching staff then it is hardly surprising that things liek this occur.
Besides, when a web security company does a survey declaring that a certain area is 'at risk' you can be sure there is an alterior motive for selling the services they provide to that 'at risk' area. If you are patched and your server access is set correctly then there is pretty much nothing else you can do until new vunerabilities are found and solutions provided.
Usual rubbish tech reporting. Original story is from NetworkWorld and misquotes some out-of-context figures. A Neowin staffer then basically lifted the entire article out of his RSS reader* without fact-checking or adding anything but his own opinions.
Take a look at the full report. First, it has an 'Education' category, not 'Schools', so we're almost certainly looking at universities here too.
Second, education may have scored worst on exposure window, but saying 'banking' did the best is slightly misleading since they separate it from the significantly worse-off 'financial services' category, which the layperson would naturally assume were the same thing.
Third, take a look at page 5 for the average number of vulnerabilities. Education does quite well, while financial services are the second worst on there.
Fourth, their methodology (page 11) is poorly explained. No demographics data to speak of, so we have no idea of the geographic location of the organisations checked. They do say that only about 400 organisations in total were checked, but there's no breakdown of the number of organisations in each category. If we assume an equal spread across their categories, we could be looking at only 40 education establishments. Hardly a representative sample, is it?
*How do I know this? The author left the ?source=nww_rss query parameter in the link he posted.
Last edited by AngryTechnician; 17th March 2011 at 10:09 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)