Browser-based attacks top security fears

Browser-based security threats are on the rise and may pose the next significant risk to information technology operations, according to a technology trade association.

The Computing Technology Industry Association (CompTIA) on Monday released its second annual report on IT security and the work force. The survey asked nearly 900 organisations to rank their top 15 security concerns. According to the results, 36.8 per cent said they were plagued by one or more browser-based attacks in the last six months. That's up from 25 per cent in last year's survey.

"Browser-based attacks are a logical evolution," said Randall Palm, director of IT at CompTIA. "The better we get at stopping attacks, the more creative hackers get at writing new ones. Ten years ago, most viruses were distributed on floppy disks. Then came email and instant-messaging software. Now, they are targeting browsers."

Browser-based attacks are typically unleashed when a person visits a web page that appears harmless but actually contains hidden code intended to sabotage a computer or compromise privacy. Some attacks simply crash a browser, while others pave the way for the theft of personal information or the loss of confidential proprietary data.

One of the most common ways of disseminating these attacks is through emails that include a link to a malicious web server. Because the attacks usually aren't launched until the user clicks on the link, many firewalls don't catch them. Traditional firewalls examine traffic coming into the network, but guarding against browser attacks requires that traffic leaving the network also be inspected.

Some companies are using products from start-ups such as SurfControl and Websense that are designed to monitor and control corporate web usage in order to help protect against browser-based attacks. Firewall vendors, like Check Point Software Technologies and NetScreen Technologies, have also added some protection. But Palm said these companies still have a long way to go before they eliminate the problem.

"Stateful inspection of inbound vulnerabilities is not Check Point's or NetScreen's main focus," he said. "All the firewall vendors are playing catch-up, when it comes to protecting against this threat."

Browser vendors also are taking action to minimise the risk to their products. In January, Microsoft said it would release software updates to Internet Explorer and Windows Explorer designed to protect web surfers from being lured to websites that could contain malicious code. In December, a Danish security firm alerted the security community to an IE bug that would let hackers display false web addresses.

While concern over browser-based security threats is growing, companies still view computer viruses and worm attacks as the most threatening security risk. But these threats are significantly less common than they were a year ago, according to the survey. Last year, 80 per cent of organisations identified worm and virus attacks as their most common IT security threat. This year, that number is 68.6 per cent.

Last year, network intrusion issues were the second-most common security threat, garnering 65.1 per cent of the vote. This year, network intrusion issues dropped significantly, falling to 39.9 per cent. This drop could be attributed to the high percentage of companies using antivirus applications to fight viruses and worm attacks. According to CompTIA, 95.5 per cent of organisations use some form of antivirus technology.

Firewalls and proxy servers are the second-most commonly used antivirus technology, employed by 90.8 per cent of respondents. Companies also are doing more security audits and penetration testing. They were used by 61 per cent of respondents, up from 53 per cent.

Marguerite Reardon writes for CNET News.com