Client side attacks on the rise, SANS says

Hackers moving away from traditional server targets

Client-side vulnerabilities are among the biggest threats facing users, the SANS Institute said yesterday as it announced its 2007 list of the most critical Internet security vulnerabilities.

"Traditionally, attackers went for hacking servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured," says Amol Sarwate manager of the vulnerability lab at Qualys who also helped compile the SANS Top 2007 list.

Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications, Sarwate says. Keeping authorized software to a minimum also decreases exposure, he says.

Users should be educated about safe use of the Web regularly, he says. Use of simulated phishing attacks against users can help pinpoint which users are most susceptible to these exploits and need further training, he says.

Server-side attacks have waned because of better security surrounding them that makes it more difficult to exploit vulnerabilities, Sarwate says. Load balancers and Web application firewalls are more common, making server defense more effective, he says.

Still, vulnerabilities in Web applications are still being hit by cross-site-scripting attacks and SQL injection attacks, the list says. These vulnerabilities stem from programmers that are unaware of how to code securely. "Not all of them are security experts," he says, and businesses that write their own code may be particularly vulnerable if they don't make secure coding a priority. "Companies can focus on security training for application developers," he says.

Meanwhile, user awareness of the techniques being used to exploit Web applications can help. For instance, if users access a secure Web site and browse insecure sites in another browser window while the secure session is still in progress risk exploitation, he says. Logging out of the secure session before continuing browsing can mitigate the problem.

Warning systems can be built into Web applications as well. For example, a bank could have customers choose an image that will appear on the bank Web site when users come to the page and before they log in. If the image isn't there, it is not a legitimate site.

The SANS list notes vulnerabilities to VoIP applications. "Attacks are happening today, and the list refers to types that could happen next year," Sarwate says.

"Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns," the list says. As a result, these systems could be vulnerable to VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks.

The list points out that because VoIP networks interface with the traditional public switched telephone network signaling system, VoIP exploits could potentially disrupt the PSTN.

The full SANS list includes how to determine if a system or application is vulnerable and what to do to protect against attacks.

The list used to be called the top 20, but this year it was reorganized to include 18 categories, so the name was changed.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Cool Tech

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Gadgets & Things


Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?