Client side attacks on the rise, SANS says

Hackers moving away from traditional server targets

Client-side vulnerabilities are among the biggest threats facing users, the SANS Institute said yesterday as it announced its 2007 list of the most critical Internet security vulnerabilities.

"Traditionally, attackers went for hacking servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured," says Amol Sarwate manager of the vulnerability lab at Qualys who also helped compile the SANS Top 2007 list.

Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications, Sarwate says. Keeping authorized software to a minimum also decreases exposure, he says.

Users should be educated about safe use of the Web regularly, he says. Use of simulated phishing attacks against users can help pinpoint which users are most susceptible to these exploits and need further training, he says.

Server-side attacks have waned because of better security surrounding them that makes it more difficult to exploit vulnerabilities, Sarwate says. Load balancers and Web application firewalls are more common, making server defense more effective, he says.

Still, vulnerabilities in Web applications are still being hit by cross-site-scripting attacks and SQL injection attacks, the list says. These vulnerabilities stem from programmers that are unaware of how to code securely. "Not all of them are security experts," he says, and businesses that write their own code may be particularly vulnerable if they don't make secure coding a priority. "Companies can focus on security training for application developers," he says.

Meanwhile, user awareness of the techniques being used to exploit Web applications can help. For instance, if users access a secure Web site and browse insecure sites in another browser window while the secure session is still in progress risk exploitation, he says. Logging out of the secure session before continuing browsing can mitigate the problem.

Warning systems can be built into Web applications as well. For example, a bank could have customers choose an image that will appear on the bank Web site when users come to the page and before they log in. If the image isn't there, it is not a legitimate site.

The SANS list notes vulnerabilities to VoIP applications. "Attacks are happening today, and the list refers to types that could happen next year," Sarwate says.

"Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns," the list says. As a result, these systems could be vulnerable to VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks.

The list points out that because VoIP networks interface with the traditional public switched telephone network signaling system, VoIP exploits could potentially disrupt the PSTN.

The full SANS list includes how to determine if a system or application is vulnerable and what to do to protect against attacks.

The list used to be called the top 20, but this year it was reorganized to include 18 categories, so the name was changed.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?