Client side attacks on the rise, SANS says

Hackers moving away from traditional server targets

Client-side vulnerabilities are among the biggest threats facing users, the SANS Institute said yesterday as it announced its 2007 list of the most critical Internet security vulnerabilities.

"Traditionally, attackers went for hacking servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured," says Amol Sarwate manager of the vulnerability lab at Qualys who also helped compile the SANS Top 2007 list.

Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications, Sarwate says. Keeping authorized software to a minimum also decreases exposure, he says.

Users should be educated about safe use of the Web regularly, he says. Use of simulated phishing attacks against users can help pinpoint which users are most susceptible to these exploits and need further training, he says.

Server-side attacks have waned because of better security surrounding them that makes it more difficult to exploit vulnerabilities, Sarwate says. Load balancers and Web application firewalls are more common, making server defense more effective, he says.

Still, vulnerabilities in Web applications are still being hit by cross-site-scripting attacks and SQL injection attacks, the list says. These vulnerabilities stem from programmers that are unaware of how to code securely. "Not all of them are security experts," he says, and businesses that write their own code may be particularly vulnerable if they don't make secure coding a priority. "Companies can focus on security training for application developers," he says.

Meanwhile, user awareness of the techniques being used to exploit Web applications can help. For instance, if users access a secure Web site and browse insecure sites in another browser window while the secure session is still in progress risk exploitation, he says. Logging out of the secure session before continuing browsing can mitigate the problem.

Warning systems can be built into Web applications as well. For example, a bank could have customers choose an image that will appear on the bank Web site when users come to the page and before they log in. If the image isn't there, it is not a legitimate site.

The SANS list notes vulnerabilities to VoIP applications. "Attacks are happening today, and the list refers to types that could happen next year," Sarwate says.

"Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns," the list says. As a result, these systems could be vulnerable to VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks.

The list points out that because VoIP networks interface with the traditional public switched telephone network signaling system, VoIP exploits could potentially disrupt the PSTN.

The full SANS list includes how to determine if a system or application is vulnerable and what to do to protect against attacks.

The list used to be called the top 20, but this year it was reorganized to include 18 categories, so the name was changed.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?