Hackers to target users and custom apps
By Miya Knights,
Cyber criminals have shifted their target focus to users and custom-built applications, according to new research into the top twenty internet security risks of 2007.
Independent security, training and research body, the SANS Institute has found that attackers have been forced to look for alternative ways to evade firewalls, antivirus and intrusion detection tools.
As these security defences have developed and become stronger, the new top two security threats prey on unsecured, web-based applications and unwary or easily-duped users whose PCs are not securely configured before they are connected to the internet.
Alan Paller, director of research at SANS, said web application insecurity is particularly troublesome because so many developers are writing and deploying web applications without ever demonstrating that they can be secured.
While the rest of the top twenty is made up of more familiar hacking tactics like targeting critical software vulnerabilities - where research contributed by security firm, Qualys has shown a huge jump in Microsoft office product vulnerabilities - or system vulnerabilities to create botnets or install key-logging spyware, SANS said the targeting of web applications would likely continue until security training is given to web developers.
"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," said Paller.
He also said that large organisations using web applications to provide access to back-end databases handling sensitive information were likely to be most at risk and that work was needed to ensure defences would hold against such attacks.
"The new risks are much harder to defend; they take a level of commitment to continuous monitoring and uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organisations have, so far, been willing to implement."
Earlier this month, the Secure Programming Council released the first standard of due care for the security knowledge and skills that web programmers should be able to demonstrate.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- Apple iPad 3 vs iPad 2 head-to-head review
- ICO: Fines for cookie law breakers
- Hutchison denies it will pull plug on Three UK
- Sony Vaio T13 Ultrabook review: First look
- BlackBerry 7 OS certified to carry 'Restricted' UK government information
- Facebook floatation marred by Nasdaq glitch
- Open source software driving cloud-based innovation
- CIO: Career is over?
- EMC World 2012: Tucci declares Documentum is here to stay
- Dell PowerEdge R820 review
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
