9. Filling Out Web Scripts, Forms, or Registration Pages
If your users could actually see a hacker looking over their shoulder as they logged onto a Website or typed sensitive data into a registration page, maybe then they would think twice. But since keyloggers and XSS don't have a human face, you'd better hope your users are hanging out on SSL-secured sites -- and know just what constitutes sensitive corporate data.
"Most Websites handling sensitive info use SSL to protect the data in transit -- check for that," says Cigital's McGraw.
Users are more likely to get hacked if they use the same username and password for most every site they visit -- a habit that puts their personal data in jeopardy, as well as the company's.
And even a trusted site can have an XSS exploit embedded in it. All it takes is for a user to read a message on a bulletin board post that contains malware, and an attacker could gain control of the user's browser session.
Remote sessions should be encrypted using SSL. But SSL isn't foolproof -- it has its own litany of problems and weaknesses, such as its susceptibility to man-in-the-middle attacks and keystroke loggers. "SSL has had some issues, but it's the best thing out there," says SecureWorks' Peck.
But the bottom line is that consumers are more likely to enter sensitive data into Web scripts or registration pages than enterprise users, says the Enderle Group's Enderle. "Employees seldom have the opportunity to do this," he says. "Of course, we probably don't know about it when they do, suggesting this problem could be vastly worse than it looks."