Client side attacks on the rise, SANS says

Hackers moving away from traditional server targets

Client-side vulnerabilities are among the biggest threats facing users, the SANS Institute said yesterday as it announced its 2007 list of the most critical Internet security vulnerabilities.

"Traditionally, attackers went for hacking servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured," says Amol Sarwate manager of the vulnerability lab at Qualys who also helped compile the SANS Top 2007 list.

Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications, Sarwate says. Keeping authorized software to a minimum also decreases exposure, he says.

Users should be educated about safe use of the Web regularly, he says. Use of simulated phishing attacks against users can help pinpoint which users are most susceptible to these exploits and need further training, he says.

Server-side attacks have waned because of better security surrounding them that makes it more difficult to exploit vulnerabilities, Sarwate says. Load balancers and Web application firewalls are more common, making server defense more effective, he says.

Still, vulnerabilities in Web applications are still being hit by cross-site-scripting attacks and SQL injection attacks, the list says. These vulnerabilities stem from programmers that are unaware of how to code securely. "Not all of them are security experts," he says, and businesses that write their own code may be particularly vulnerable if they don't make secure coding a priority. "Companies can focus on security training for application developers," he says.

Meanwhile, user awareness of the techniques being used to exploit Web applications can help. For instance, if users access a secure Web site and browse insecure sites in another browser window while the secure session is still in progress risk exploitation, he says. Logging out of the secure session before continuing browsing can mitigate the problem.

Warning systems can be built into Web applications as well. For example, a bank could have customers choose an image that will appear on the bank Web site when users come to the page and before they log in. If the image isn't there, it is not a legitimate site.

The SANS list notes vulnerabilities to VoIP applications. "Attacks are happening today, and the list refers to types that could happen next year," Sarwate says.

"Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns," the list says. As a result, these systems could be vulnerable to VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks.

The list points out that because VoIP networks interface with the traditional public switched telephone network signaling system, VoIP exploits could potentially disrupt the PSTN.

The full SANS list includes how to determine if a system or application is vulnerable and what to do to protect against attacks.

The list used to be called the top 20, but this year it was reorganized to include 18 categories, so the name was changed.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?