The solution to these vulnerabilities is similar in principle to the advice we give our clients about Java in all its shapes and forms: namely the need to constantly patch – and stay on top of patches – in almost any computing environment.
Whilst Adobe has developed its own strategies to deal with these issues – including that of integrating its own updates alongside Microsoft's Patch Tuesday code releases – there may be an argument not to install an Adobe application unless you actually need the facility.
This is especially true where Web browser clients are involved - and it is worth noting that there are a number of browser extensions and apps designed to easily toggle extensible code environments on – and off again – as and when required.
It is also worth noting that, whilst an Adobe install may be required on your laptop computer, there is rarely a requirement for the same application code to be installed on a server environment.
2.0 SQL injection threats
The second threat identified in our 2013 top five list is the problem of SQL injection attacks. Readers with long memories may recall that SQL first became an industry standard way back in 1986, since when it has been central to RDBMS/database software – and also poses a juicy target for all manner of cybercriminals.
This was illustrated in May of 2012 when a Symantec engineer spotted a mass SQL injection series of attacks in progress.
The Lizamoon mass SQL attack vector was, of course, well used by cybercriminals and the principle behind the attack vector is that hackers exploit vulnerable Web sites using an SQL-injection attack, which will then direct users to other sites containing malicious code.
Mitigating the Lizamoon attack – as with all SQL-based IT aggressions – is not as easy as some vendors claim, as there are only a handful of products out there that were designed to secure databases.
Of those that there are, however, users report them to be effective security products. Each database install is different and to secure them, it is clear that the layout and structure must be understood.
All database admins should undergo thorough security training on a regular basis so that they can understand the threats and learn what techniques can be used for mitigation.
Compromised and malicious Web sites
The third issue in our top five list of threats includes the recurrent problem of compromised and malicious Web sites. Whilst graphical Web sites have been ‘around' since the mid-1990s, it has taken the evolution of HTML5 and other Web technology advances to shift the threats/solutions balance up by more than a gear or two – and sadly in favour of the cybercriminals and hackers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.