Hot or not: Client-side vulnerabilities and web application attacks

A good place to look for the most recent, important malware developments is the SANS Top 20 list of internet security threats. It's also a great place to get a glimpse of where attack trends may be heading, and to find the best approach to protecting your systems.


According to SANS' annual update for 2007, the ominous trend of cybercriminals targeting client-side software continues to accelerate. Attackers started focusing on client-side applications in 2006, as we reported in this column last month and back in May


There is a silver lining in this bad news: It illustrates, to some degree, that many organizations have improved the security of their network perimeters.


During the past few years, many companies have made wise investments in security software and have taken greater care in managing their firewalls and anti-malware software; they also have put into place good risk management efforts that include vulnerability scanning and remediation programs. 


Also, web-server software and server operating systems security have been improved. These trends have contributed to the declining incidence of dramatic worm events like MS Blaster and SQL Slammer.


While corporate networks are far from hack-proof, they currently are proving to be a more hardened attack target than most endpoints.


However, it still is too easy to successfully take advantage of non-security-savvy end-users who are quick to be tricked into opening a maliciously crafted email, document, or spreadsheet. End-users also are quick to install all sorts of programs – media players, P2P file-sharing applications – or surf to malicious websites and inadvertently jeopardize the most valiant security efforts.


Careless end-users are fueling the steep increase in attacks on endpoints (for example, attacks against Microsoft Office applications jumped 300 percent from 2006 to 2007), and they are why we will continue to see the number of endpoint attacks grow for the foreseeable future.


You can expect to encounter in 2008 more and more exploit code designed to target media players, social networks, video and audio streams, and VoIP protocols, as well as more creative methods to infiltrate web browsers.


The other powerful trend highlighted by the SANS Top 20 involves web application vulnerabilities. We will see continued attacks on web applications, either on the server side (with web servers and applications) or on the client side (with flaws on the browser of java code). 


A new example of these types of attacks is the cross-site request forgery attack, abbreviated either as CSRF or XSRF. While this attack is similar to the now all-too-familiar class of cross-site scripting attacks, in this case the attacker injects attack code into the web application (on the server side) from a trusted end-users' client system.


Generally, in a request forgery attack the attacker piggybacks off an authenticated web session to then conduct unauthorized transactions. The attacker manages to do this after the end-user already has logged onto a website or account; the user is enticed to click on a malicious link, possible through an email or instant message, or by browsing to a malicious website.


So it bears repeating that users should always remember not to open emails or surf the web (no matter how convenient browser tabs are) while conducting sensitive transactions of any kind over the internet. This is especially true as more creative social engineering attacks, as well as highly targeted phishing attacks (or “spear phishing”), continue to rise.


No matter what kind of attacks the future brings, it is always important to keep in place the fundamental efforts necessary to keep systems secure. End-user security awareness training is more critical than ever. As security professionals, we are all too familiar with the risks of surfing to some of the more racy areas of the internet, or opening e-cards, MP3s, and videos seemingly sent by friends. But most users – from salespeople to accountants and business managers – are not, and need continuous reminding.


For more technical types of attacks and vulnerabilities, such as securing the flaws within web browsers, office software, email clients, and media players, the front line defense remains largely the same: You want to have the processes in place to maintain secure system and application builds before deployment—and to change control and risk management programs, which requires regular scanning and remediation of the entire IT infrastructure.  And don't forget the basics of well-policed firewalls, anti-malware software, and IDS/IPS systems configured to spot suspicious traffic attempting to enter and/or leave networks.


Because IT risks evolve rapidly, it's also a good idea to check in on the SANS Top 20 link Internet Security Risks throughout the year. This list is a living document, and it is updated periodically. Now in existence for seven years, it is one of the most thorough examinations of the most pressing internet security threats available, based on the input of 43 security experts from government, industry, and academia from six countries.


- Amol Sarwate is director of Qualys' vulnerability research lab


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.