Hackers hunt for low-hanging fruit

The latest update to the SANS Institute’s top 20 list of security vulnerabilities provides an interesting insight into the changing nature of cyber-threats.

Just like a burglar will look for a house with an open window or an unlocked door, rather than one with an alarm and a vicious looking Alsatian dog in the garden, so hackers are changing their focus as they hunt for the easy low-hanging fruit.

Microsoft has come in for a good deal of justified criticism in the past over its attitude to security but since Bill Gates put security at the heart of Microsoft’s agenda the software giant has made progress in securing its software with initiatives such as Windows XP SP2.

There is still a steady steam of Microsoft exploits but it is no longer a flood and the improved delivery of security updates means that Microsoft is keeping its customers better protected.

This helps to explain why the latest update to the SANS Institute’s list of the top 20 security vulnerabilities shows a shift away from operating systems to applications. "This year, more than one-third are in applications — some of them security and back-up applications that people thought kept them safe," said SANS.

It seems that hackers and security consultants are finding more fun and profit from poking holes in security, back-up and other applications.

It is an irony that the very tools that we are relying on to keep are systems secure are now increasingly becoming targets themselves. A research report from the Yankee Group earlier this year found that new security flaws were being discovered in security products faster than in Microsoft’s products.

What’s more, unlike Microsoft, many application vendors are not able to provide automated patching, which increases the risk further.

Security vendors have had rich pickings exploiting the shortcomings in Microsoft’s software but with spotlight suddenly turned on them, some might just be starting to squirm a little.