ZDNetNews:
Businesses are finding it difficult to prioritize defence strategies against cyberattacks because most of them do not have an internet-wide view of the attacks, according to a report from Sans, the security training organization.
As a result, two security risks — web applications and phishing — carry the greatest potential for damage, yet users instead tend to concentrate on less-critical risks.
The report, published by security training organisation Sans, amalgamates global data from security attacks on computers from March 2009 to August 2009.
It identifies two main defense priorities for enterprise users. The first is targeted email attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe's PDF Reader and Flash, Apple QuickTime and Microsoft Office. These applications are described as "the primary initial infection vector used to compromise computers that have Internet access", and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners".
The second priority is vulnerable websites. More than 60 percent of attacks are against web applications and "convert trusted websites into malicious websites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities. [Read more]
posted by: gqpartner
Comments