The cybersecurity landscape shifted seismically in 2005, leaving government and industry more vulnerable to data theft and security breaches than they have been in years. That is the sobering assessment in the SANS Institute's 2005 update of its annual 20 Most Critical Internet Security Vulnerabilities report.

The institute, a training and education organization for security professionals, was joined by the U.S. Computer Emergency Readiness Team (US-CERT) and the United Kingdom's National Infrastructure Security Co-ordination Centre in announcing the new findings Nov. 22.

In 2005 cybercriminals focused on attacking client applications and network operating systems other than Microsoft Windows, which don't receive automatic security patches, said Alan Paller, the institute's director of research.

"That means we're back to the Stone Age" of five years ago, before automated patching, when everyone had to find vulnerabilities and patch them manually, he said. "Those days are back in spades."

Driven by the realization that they can make a fortune in extortion and identity theft, cybercriminals have been launching massive attacks on those two largely undefended fronts in cyberspace, Paller said.

Flaws in client applications and network operating systems put critical national and corporate resources at risk, said Rohit Dhamankar, leader of the SANS Institute team and a security architect at 3Com's TippingPoint. People are most concerned about potential attacks on backup software, Web browser software and media players, he said.

But not all experts agree that the situation is dire. "I can't say we've ever exited the Stone Age," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide. The vulnerabilities have always been present, but cybercriminals have never attacked them so pervasively and maliciously, he said.

Numerous dangers

Ten of the top vulnerabilities are in cross-platform applications installed on millions of systems. They include backup, antivirus and database software, in addition to media players. Three affected network operating systems control routers, switches and other devices that form the Internet's backbone.

In the past year, the new types of attacks represented 65 percent of the worst threats, up from none in 2004, according to the institute. The new report cites several industry giants, including Cisco Systems and Microsoft, as being vulnerable to the new attacks.