SANS Top 20 highlights client-side risks

In addition to affecting media players, client-side bugs – often exploited to build armies of botnets – also are impacting web browsers, office software and email clients with greater frequency, according to the annual report.

Rohit Dhamankar, senior manager of security research at TippingPoint, said during a conference call today that Microsoft released 32 client-side security bulletins this year, compared to only six server-side patches.

"The client-side vulnerabilities are now posing a big risk to the enterprise," he said. "A lot of compromised sites are hosting exploits, which are targeting these flaws."

Experts said attackers are creating more sophisticated techniques to launch their malware attacks and evade detection, including code obfuscation and fast-changing variants.

"The bad guys have perfected their business model," Ed Skoudis, a SANS Internet Storm Center handler and founder of Intelguardians Network Intelligence, a network security consultant, said on the call. "They're making money from their malicious code and that gives them incentive to innovate. The longer they can stay on your machine, the more money they can make."

Experts on the call said signatures and heuristics are not enough to deter these malware assaults. As a result, anti-virus companies must create behaviour-based solutions and consider providing in-the-cloud service to customers, they said.

Forty-three IT security experts collaborated on the SANS Top 20, which actually lists only 18 of the top risks.

Another of those growing threats is spear phishing.

Alan Paller, director of research for the SANS Institute, said on the call that government agencies and military contractors are particularly vulnerable to this problem. He said attackers who obtain a targeted victim's username and password can use the credentials to break into a web application and steal sensitive data, for purposes such as espionage.

Paller said these entities must implement more hands-on user-awareness training.

"Instead of just telling people [in a training session], they should actually run a benign version of the attack against their employees," he said. "The ones who fall for it get a little education, and that tends to work out very well."

Zero-day attacks were once again included on the list, although Dhamankar admitted the number of these types of exploits is falling. Skoudis said that is because hackers are having success without them.

"If you can build your botnet of a couple million machines without a zero-day, why don't you hold on to it until you really need it?" he said.

The report also names as risks server-side vulnerabilities, excessive user rights and unauthorised devices, unencrypted laptops and removable media, instant messaging, peer-to-peer programs and VoIP servers and phones.

Paller said the Top 20 list will help organisations "prioritise their security investment."

"These are the places where the bad guys are getting around your defenses," he said.

Copyright © SC Magazine, US edition

computer securitysans institutesecuritytop