Malware outmaneuvers security
As online attacks become more targeted and increasingly stealthy, traditional security measures of updating patches and complying with regulatory mandates are failing many government agencies, said Alan Paller, director of research at the SANS Institute.
'The federal government has a compliance-based approach to security,' Paller said at the unveiling of the latest list of the top 20 Internet security risks. 'That model can't last, because the attackers change the attacks at such a rate that the model is broken.'
Two major trends in this year's list of threats are social engineering to dupe individual executives, information technology staff and others with privileged access so that high-value computers can be compromised; and the targeting of custom-built Web applications that can expose data on the server side and infect additional computers on the client side.
'The browser today is the main gateway for malware,' said Gerhard Eschelbeck, chief technology officer at Webroot Software.
Variants of malicious code are changing so quickly that signature- based antivirus engines cannot keep up and attacks targeted at individuals often cannot be stopped by signature recognition, Paller said.
Half the total vulnerabilities reported in 2007 have been in Web applications, according to Rohit Dhamankar, senior manager of security research at TippingPoint Technologies. In addition to Web application vulnerabilities, there has been a sharp jump in vulnerabilities found in Microsoft Office products, including Excel, Word and Visio. Twenty-three critical vulnerabilities have been identified in the suite so far in 2007, up from six in 2006.
An emerging threat is a type of spear-phishing attack being called whaling, because it is aimed at individual high-value targets, such as senior executives or IT administrators. An e-mail message crafted to gain the confidence of the individual persuades the person to execute an attachment or go to a compromised site so that the computer is infected.
The complete list with details on each vulnerability is available at http://www.sans.org/top20. You will notice that there are only 18 vulnerabilities on the list, but SANS kept the Top 20 title for consistency.