Cyber-criminals are still looking for networks to infiltrate and information to take, but according to new research, Web applications are increasingly being targeted.

That is one prominent finding contained in research produced recently by HP TippingPoint DVLabs, the SANS Institute and Qualys Research Labs on threats that occurred across the Internet from January to June 2010.

The 2010 Top Cyber Security Risks Report, focused on four areas. One is that Web applications are prolonged and persistent targets in enterprises, not only because they can be corrupted, but also because people are downloading corrupted Web apps at extremely high rates while at work. And if the applications are legitimate, users aren’t necessarily updating them or taking note of vulnerabilities that can be exploited.

“The top problem is third-party applications on the desktop not getting updated,” said Wolfgang Kandek, chief technical officer and vice president of engineering at Qualys.

Another area is consumerization of enterprise computing — the ways in which employees use social networking applications or iTunes — and how they open the door to new security risks.

Companies could eliminate this problem by banning all such technologies at work, but Kandek doesn’t see that happening. Twitter, Facebook and similar tools provide popular marketing and branding opportunities that modern companies simply can’t do without.

“I don’t think it’s a viable way of doing things. We have a couple of customers that try to do this, and I believe you will be noncompetitive in a work environment if you are going down that route,” he said. “It’s going against what the general tendency is when you want to incentivize your employees to look around, to be embedded in that social space — see how the company is talked about.”

The two other areas of the research’s focus are the increased organization and sophistication of cyber-criminals and the continued danger from existing threats.

The report also disclosed how often different industry sectors and countries experienced JavaScript-based attacks in the first half of 2010. Governments were most frequently targeted, with nearly 110,000 attacks, followed by the financial sector, slightly above 88,000. The United States was the most attacked country, with about 170,000 attacks, far above second-place Canada, which saw less than 34,000.

Web application attacks appear to outpace all other types of attack vectors. The first half of the year saw 4,091 Web application vulnerabilities during January to June, as reported to the Open Source Vulnerability Database. There were roughly 5,000 reported in the same period in 2005, so it appears that Web application vulnerabilities could be on the decline. But Kandek said he wouldn’t be surprised if this year’s vulnerability report numbers skyrocket to more than 8,000 before the end of 2010.

“It’s now on the applications. We’ve done a good job in securing the basic operating system that has become more secure and mobile almost all of the time, and it’s doing OK. We’ve seen the number of vulnerabilities in operating systems go down and attacks also go down, but they’ve moved into the application, so the next focus has to be on the application,” Kandek said.

Hilton Collins, Staff Writer Hilton Collins  |  GT Staff Writer

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.