According to InformationWeek Research's U.S. Information Security Survey 2005, operating systems remain the primary point of attack, cited by 43% of survey respondents. But other sources provided holes aplenty, including E-mail attachments (35%), known applications (22%), and unknown applications (10%).
"What you have now is all these different threats against the desktop, like the Web browsers, which are much harder to protect against," says Johannes Ullrich, chief technology officer of the Internet Storm Center, a volunteer cybersecurity organization focused on threat detection and analysis.
Businesses need to respond by giving apps the same kind of attention they've given the attack-prone Windows operating system. That means raising user awareness and limiting access to certain applications, although that's admittedly difficult in business environments.
David Gernert, IT security officer for Capital BlueCross, has been tracking application-level threats. "We've been keeping an eye on that because as we offer more and more services electronically to our members, providers, and so forth, the potential for problems increases," he says.
The changing nature of security threats is driving interest in technology that goes beyond the protection provided by PC firewalls and antivirus software. That includes products for intrusion prevention, network-access control, identity and access management, and vulnerability management. Gartner analyst Neil MacDonald advises putting the emphasis on best-in-class patch-management capabilities for all types of software.