It said vulnerabilities in web applications represented the greatest risk, but this was closely followed by “gullible, busy, accommodating computer users,” particularly those with privileged access, which SANS called “the most challenging risk”.
SANS said examples of the latter – based on “composites of actual events” – included the chief infosecurity officer of a medium-sized US government agency finding his computer had been compromised by a new kind of spear-phishing attack, focused on one or very few individuals. This had turned his computer into a tunnel for hackers in China to access the agency’s systems.
Another example involved hackers using a political think-tank’s website as a way to infect computers used by senior civil servants and businesspeople with keyloggers.
Alan Paller, director of research for the SANS Institute, said that the risks from web applications came from inexperienced developers writing software which links large databases to the internet. “Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications," he said in the press release announcing the top 20.
On how to tackle the problems, SANS recommended that organisations use web application firewalls, security scanners, source-code testing and penetration testing, as well as use of secure development methodologies and security-competent programmers. On gullible users, it said that training could help, but also recommended organisations launch benign spear phishing attacks against users as a form of inoculation – and to see who falls for them.