FRAMINGHAM: After years of writing viruses and worms for operating systems and software running on Internet servers, hackers found some new areas to target in 2005, according to a report on security trends.
During the past year, attackers have switched their focus to network devices and applications, specifically backup software and even the security software designed to protect computers, according to the 2005 SANS Top 20 list of the most critical Internet security vulnerabilities.
Director of research with the SANS Institute, a training organisation for computer security professionals, Alan Paller, said there had been a 90-degree turn in the way attackers were going after companies. While most organisations had adopted means to automatically patch vulnerabilities in operating systems, they had not done so with applications.
"Those applications don't have automated patching, so we are back to the Stone Age," he said.
And by exploiting flaws in networking gear, hackers were finding their way onto corporate networks. "Other, more sophisticated attackers, looking for new targets, found they could use vulnerabilities in network devices to set up listening posts where they could collect critical information that would get them into the sites they wanted," he said.
This new focus on client applications and networking products happened because so many server-side and operating system bugs had been fixed, CTO and vice-president of engineering with Qualys, Gerhard Eschelbeck, said. Qualsys was a contributor to this year's list.
"A lot of the low-hanging fruit has been identified now," he said. "We really reached a tipping point earlier this year, where people started to look aggressively at client-side applications."
Security researchers also started looking at vulnerabilities in networking products, thanks in part to a controversial presentation by security researcher, Michael Lynn, at this year's Black Hat 2005 conference in Las Vegas.
Cisco sued Lynn after he discussed security problems in the Internetwork Operating System (IOS) software used by Cisco's routers.
This is the first year that networking products have appeared on the SANS list, with Cisco vulnerabilities taking three of the 20 slots.
The list also includes nine common application vulnerabilities, two Unix problems and six Windows issues, all of which deserve immediate attention from security professionals, according to SANS.
One way to prevent such security flaws was to demand that vendors deliver hardened products to begin with, Paller said.
The SANS Top 20 list, published annually since 2000, is compiled by representatives from a variety of computer security organisations including the US Computer Emergency Response Team, the British Government's National Infrastructure Security Co-Ordination Centre and the SANS Internet Storm Centre. The list is designed to give security professionals a quick sense of the industry's consensus on which commonly targeted security vulnerabilities require their most immediate attention.
This year's list can be viewed at www.sans.org/top20/