daily online news

Computer users and custom applications created with minimal attention to security emerged as the top two attack targets favored by criminals.

SANS Cites Users, Apps As Main Threat Targets

The SANS Top 20 list for 2007 demonstrated a shift away from the typical focus on vulnerabilities in software products. That look at critical problems requiring attention still exists, but there is more for security pros to worry about than just patch updates.

"Facing real improvements in system and network security, the attackers now have two new prime targets that allow them to evade firewalls, antivirus, and even intrusion prevention tools: users who are easily misled and custom-built applications," SANS said in a statement.

"This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software."

SANS illustrated a few scenarios where these trends have proven problematic for their victims. One scenario alludes to penetration of a sensitive federal agency via a spear phishing attack. The net result caused data to be sent from a chief information security officer's PC to a computer in China.

Other scenarios, based on real world events with details changed to protect identities, showed how attackers managed to place keyloggers on machines. These ranged from a major government think tank, to an individual whose father's bank account was emptied with the ill-gotten gains forwarded to suicide bomber recruiters.

Plugging a new, unprotected machine into the Internet will be a fool's errand, according to SANS. They estimate a machine will last about five minutes before being attacked, and compromised unless it has been configured securely before being connected.

Alan Paller, director of research at SANS, pointed at the rise in poorly-secured web applications as being particularly troublesome. These dynamic applications regularly connect with back-end databases that house sensitive information about the application's users.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications,"