iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > SANS Cites Users, Apps As Main Threat Targets
Search:
[ insider_reports_insider ]

SANS Cites Users, Apps As Main Threat Targets



David Utter
Staff Writer
2007-11-28

SecurityProNews: Insider Reports Insider Reports RSS Feed


Computer users and custom applications created with minimal attention to security emerged as the top two attack targets favored by criminals.

SANS Cites Users, Apps As Main Threat Targets
SANS Cites Users, Apps As Main Threat Targets

The SANS Top 20 list for 2007 demonstrated a shift away from the typical focus on vulnerabilities in software products. That look at critical problems requiring attention still exists, but there is more for security pros to worry about than just patch updates.

"Facing real improvements in system and network security, the attackers now have two new prime targets that allow them to evade firewalls, antivirus, and even intrusion prevention tools: users who are easily misled and custom-built applications," SANS said in a statement.

"This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software."

SANS illustrated a few scenarios where these trends have proven problematic for their victims. One scenario alludes to penetration of a sensitive federal agency via a spear phishing attack. The net result caused data to be sent from a chief information security officer's PC to a computer in China.

Other scenarios, based on real world events with details changed to protect identities, showed how attackers managed to place keyloggers on machines. These ranged from a major government think tank, to an individual whose father's bank account was emptied with the ill-gotten gains forwarded to suicide bomber recruiters.

Plugging a new, unprotected machine into the Internet will be a fool's errand, according to SANS. They estimate a machine will last about five minutes before being attacked, and compromised unless it has been configured securely before being connected.

Alan Paller, director of research at SANS, pointed at the rise in poorly-secured web applications as being particularly troublesome. These dynamic applications regularly connect with back-end databases that house sensitive information about the application's users.

"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all Web applications," he said.


About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds