The Sans Top 20, the annual publication of critical security vulnerabilities, has highlighted a major shift in attacks from web servers and mail systems towards new application-borne threats.
For five years, the majority of attacks have been aimed at operating systems such as Windows and Unix, as well as internet services like web servers and mail systems. Now application programs are under fire.
Backup and recovery tools and antivirus and other security tools that most organisations think are keeping them safe from attacks and loss of data are now a risk to organisations, through some critical vulnerabilities. Even media players can cause problems.
The shift has occurred because automated patching has made it harder to find new vulnerable systems, so attackers have targeted applications that users are not patching.
Meanwhile more sophisticated attackers have found they can use vulnerabilities in network devices to set up listening posts and collect critical information that would get them into the sites they want to target.
The Sans Top 20 has demonstrated that when it comes to security threats, no one can be complacent. What price 3G, mobile messaging and IP security will be the focus of attacks in 2006?