Rich,
I do wish to be clear that when I say most significant I mean that
purely in a quantitative and not a qualitative manner. Vulernabilities
associated with client-side scripting are certainly not the most harmful
forms of security intrusion.
These are (a) web browser and (b) operating system vulnerabilities,
and are quite readily mitigated by making sensible choices about both.
I draw a solid distinction between mitigation and solution. A
mitigation is a proactive action to ensure systems or data in your area
of responsibility are protected against security breaches from both
internal and external users. That is an attempt to avoid the problem,
and it is not a solution to the problem. A solution is a recommendation
that intends to eliminate the problem, which thereby reduces the scope
of mitigation in a given security assessment. In other words, if
actions to a system were really a solution to client-side security
vulnerabilities then those security flaws must never again occur upon
that system, correct?
If, on the other hand, poor choices of web browser and/or operating
system (or mail client, for that matter) are made, then it really
doesn't matter whether traffic moves via HTTP or SMTP or anything
else: those systems WILL be compromised.
Users can only be protected from themselves through adherance to
policies, procedures, and relevant training. That is leadership
solution and not a technology solution. Protecting user from themselves
does not solve exploitable weaknesses in technology. In these cases you
have to simply fix the technology to disallow exploitation. If this
were not so software companies would not spend millions of dollars to
continually patch their products if administrators and management could
so easily retrain their users.
Thank you,
Austin