The SANS report, called The Top Cyber Security Risks, said that application software is the most heavily targeted by malware writers today, and yet IT departments take twice as long to patch application software security threats as operating system software security threats.
Two types of applications are being heavily targeted by online criminals, SANS' report said. Desktop computer applications such as Adobe PDF Reader, Microsoft Office, and QuickTime are being exploited using targeted email campaigns. Malicious files are sent to victims which are designed to trigger security flaws in that software. The applications may also be exploited by malicious websites visited by the user, which don't even require the user to manually open a file.
Web applications are the other major attack vector today, said the report, which added that 60% of internet-based attacks are targeted at user-facing web applications. SQL injection and cross site scripting attacks are the two most popular means of attacking this software.
Conversely, operating systems are suffering far fewer security attacks compared to application software, SANS said. And yet "on average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities," it warned. "In other words the highest priority risk is getting less attention than the lower priority risk."
According to SANS, the USA is both the biggest target of web-based attacks, and also the biggest source, although the authors believe that many attacks are launched by compromised machines residing in the USA that may be controlled by parties elsewhere.