There are two major problems with the security of computers: the people who use them and the people who write software for them.
That's the takeaway from this year's Top 20 Vulnerabilities report issued earlier today by the SANS Institute, a leading security certification and training organization.
While attacks are becoming more sophisticated, it is vulnerabilities on the client and applications sides that present the greatest opportunities for attack, the report states.
"Vulnerabilities on the client side have exploded over the last year," says Rohit Dhamankar, senior manager of security research at TippingPoint and project manager for the SANS study. "Desktop users are proving to be a major risk to their organizations if they are left to browse the Web without the proper controls."
One of the most critical vulnerabilities to computer security is "gullible, busy, accommodating computer users -- including executives, IT staff, and others with privileged access -- who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage, and much more," the report states.
And the problem isn't just the users themselves, but the systems and software they have on their desktops, SANS says. The number three vulnerability on this year's list is "critical vulnerabilities in software on personal computers inside and outside enterprises (client-side vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets -- and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations."
Enterprises may not be able to solve these two problems entirely, but they can reduce the risk by limiting administrative privileges and restricting users' ability to download and install applications, SANS says.
As it did last year, SANS put Microsoft Windows vulnerabilities among the most serious on the list, but it is home-grown applications that present the greatest threat, according to the report.
"Programmers need to be trained to recognize security holes in the applications they are developing, and they need to make better user of tools, such as Web application security scanners, that can help identify problems before they lead to compromises," Dhamankar says.
While client-side issues and development flaws moved up the SANS list for 2007, problems such as DNS flaws and VOIP vulnerabilities dropped off. "Nothing major happened with DNS in 2007," Dhamankar says. "And the scale of attacks using VoIP was not as large as expected."
Which new threats is SANS already for its 2008 list? "Mobile phones," Dhamankar states. "The iPhone is mostly a consumer problem right now, but we expect it to compete with the Blackberry in the business world, and it will be a target for attackers."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.