Client side attacks on the rise, SANS says

Client-side vulnerabilities are among the biggest threats facing users, the SANS Institute said yesterday as it announced its 2007 list of the most critical Internet security vulnerabilities.

“Traditionally, attackers went for hacking servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured,” says Amol Sarwate manager of the vulnerability lab at Qualys who also helped compile the SANS Top 2007 list.

Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications, Sarwate says. Keeping authorized software to a minimum also decreases exposure, he says.

Users should be educated about safe use of the Web regularly, he says. Use of simulated phishing attacks against users can help pinpoint which users are most susceptible to these exploits and need further training, he says.

Server-side attacks have waned because of better security surrounding them that makes it more difficult to exploit vulnerabilities, Sarwate says. Load balancers and Web application firewalls are more common, making server defense more effective, he says.

Still, vulnerabilities in Web applications are still being hit by cross-site-scripting attacks and SQL injection attacks, the list says. These vulnerabilities stem from programmers that are unaware of how to code securely. “Not all of them are security experts,” he says, and businesses that write their own code may be particularly vulnerable if they don’t make secure coding a priority. “Companies can focus on security training for application developers,” he says.

Meanwhile, user awareness of the techniques being used to exploit Web applications can help. For instance, if users access a secure Web site and browse insecure sites in another browser window while the secure session is still in progress risk exploitation, he says. Logging out of the secure session before continuing browsing can mitigate the problem.

Warning systems can be built into Web applications as well. For example, a bank could have customers choose an image that will appear on the bank Web site when users come to the page and before they log in. If the image isn’t there, it is not a legitimate site.

The SANS list notes vulnerabilities to VoIP applications. “Attacks are happening today, and the list refers to types that could happen next year,” Sarwate says.

“Rapid adoption to garner the economic advantages of VoIP has led many to overlook, or even set aside, security concerns,” the list says. As a result, these systems could be vulnerable to VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks.

The list points out that because VoIP networks interface with the traditional public switched telephone network signaling system, VoIP exploits could potentially disrupt the PSTN.

The full SANS list includes how to determine if a system or application is vulnerable and what to do to protect against attacks.

The list used to be called the top 20, but this year it was reorganized to include 18 categories, so the name was changed.